]> git.ipfire.org Git - thirdparty/hostap.git/blame - src/rsn_supp/wpa.c
projects / thirdparty / hostap.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
FILS: Connect request for offloaded FILS shared key authentication
[thirdparty/hostap.git] / src / rsn_supp / wpa.c
CommitLineData
6fc6879b
JM		 1/*
2 * WPA Supplicant - WPA state machine and EAPOL-Key processing
0a614799 3 * Copyright (c) 2003-2017, Jouni Malinen <j@w1.fi>
73ed03f3 4 * Copyright(c) 2015 Intel Deutschland GmbH
6fc6879b 5 *
0f3d578e
JM		 6 * This software may be distributed under the terms of the BSD license.
7 * See README for more details.
6fc6879b
JM		 8 */
9
10#include "includes.h"
11
12#include "common.h"
2022f1d0 13#include "crypto/aes.h"
03da66bd
JM		 14#include "crypto/aes_wrap.h"
15#include "crypto/crypto.h"
3642c431 16#include "crypto/random.h"
2022f1d0 17#include "crypto/aes_siv.h"
0a614799 18#include "crypto/sha256.h"
03da66bd 19#include "common/ieee802_11_defs.h"
a6609937 20#include "common/ieee802_11_common.h"
fcd3d6ce 21#include "eap_common/eap_defs.h"
03da66bd 22#include "eapol_supp/eapol_supp_sm.h"
6fc6879b
JM		 23#include "wpa.h"
24#include "eloop.h"
6fc6879b
JM		 25#include "preauth.h"
26#include "pmksa_cache.h"
27#include "wpa_i.h"
28#include "wpa_ie.h"
29#include "peerkey.h"
6fc6879b
JM		 30
31
73ed03f3
MS		 32static const u8 null_rsc[8] = { 0, 0, 0, 0, 0, 0, 0, 0 };
33
34
6fc6879b
JM		 35/**
36 * wpa_eapol_key_send - Send WPA/RSN EAPOL-Key message
37 * @sm: Pointer to WPA state machine data from wpa_sm_init()
1049af7e 38 * @ptk: PTK for Key Confirmation/Encryption Key
6fc6879b
JM		 39 * @ver: Version field from Key Info
40 * @dest: Destination address for the frame
41 * @proto: Ethertype (usually ETH_P_EAPOL)
42 * @msg: EAPOL-Key message
43 * @msg_len: Length of message
44 * @key_mic: Pointer to the buffer to which the EAPOL-Key MIC is written
c93b7e18 45 * Returns: >= 0 on success, < 0 on failure
6fc6879b 46 */
1049af7e 47int wpa_eapol_key_send(struct wpa_sm *sm, struct wpa_ptk *ptk,
c93b7e18
AA		 48 int ver, const u8 *dest, u16 proto,
49 u8 *msg, size_t msg_len, u8 *key_mic)
6fc6879b 50{
c93b7e18 51 int ret = -1;
5e3b5197 52 size_t mic_len = wpa_mic_len(sm->key_mgmt);
98cd3d1c 53
ef9627cb
JM		 54 wpa_printf(MSG_DEBUG, "WPA: Send EAPOL-Key frame to " MACSTR
55 " ver=%d mic_len=%d key_mgmt=0x%x",
56 MAC2STR(dest), ver, (int) mic_len, sm->key_mgmt);
a8e16edc 57 if (is_zero_ether_addr(dest) && is_zero_ether_addr(sm->bssid)) {
6fc6879b
JM		 58 /*
59 * Association event was not yet received; try to fetch
60 * BSSID from the driver.
61 */
62 if (wpa_sm_get_bssid(sm, sm->bssid) < 0) {
f049052b
BG		 63 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
64 "WPA: Failed to read BSSID for "
65 "EAPOL-Key destination address");
6fc6879b
JM		 66 } else {
67 dest = sm->bssid;
f049052b
BG		 68 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
69 "WPA: Use BSSID (" MACSTR
70 ") as the destination for EAPOL-Key",
71 MAC2STR(dest));
6fc6879b
JM		 72 }
73 }
2022f1d0
JM		 74
75 if (mic_len) {
76 if (key_mic && (!ptk || !ptk->kck_len))
77 goto out;
78
79 if (key_mic &&
80 wpa_eapol_key_mic(ptk->kck, ptk->kck_len, sm->key_mgmt, ver,
81 msg, msg_len, key_mic)) {
82 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
83 "WPA: Failed to generate EAPOL-Key version %d key_mgmt 0x%x MIC",
84 ver, sm->key_mgmt);
85 goto out;
86 }
28fb9bb1
JM		 87 if (ptk)
88 wpa_hexdump_key(MSG_DEBUG, "WPA: KCK",
89 ptk->kck, ptk->kck_len);
2022f1d0
JM		 90 wpa_hexdump(MSG_DEBUG, "WPA: Derived Key MIC",
91 key_mic, mic_len);
92 } else {
93#ifdef CONFIG_FILS
94 /* AEAD cipher - Key MIC field not used */
95 struct ieee802_1x_hdr *s_hdr, *hdr;
96 struct wpa_eapol_key *s_key, *key;
97 u8 *buf, *s_key_data, *key_data;
98 size_t buf_len = msg_len + AES_BLOCK_SIZE;
99 size_t key_data_len;
100 u16 eapol_len;
101 const u8 *aad[1];
102 size_t aad_len[1];
103
104 if (!ptk || !ptk->kek_len)
105 goto out;
106
107 key_data_len = msg_len - sizeof(struct ieee802_1x_hdr) -
108 sizeof(struct wpa_eapol_key) - 2;
109
110 buf = os_malloc(buf_len);
111 if (!buf)
112 goto out;
113
114 os_memcpy(buf, msg, msg_len);
115 hdr = (struct ieee802_1x_hdr *) buf;
116 key = (struct wpa_eapol_key *) (hdr + 1);
117 key_data = ((u8 *) (key + 1)) + 2;
118
119 /* Update EAPOL header to include AES-SIV overhead */
120 eapol_len = be_to_host16(hdr->length);
121 eapol_len += AES_BLOCK_SIZE;
122 hdr->length = host_to_be16(eapol_len);
123
124 /* Update Key Data Length field to include AES-SIV overhead */
125 WPA_PUT_BE16((u8 *) (key + 1), AES_BLOCK_SIZE + key_data_len);
126
127 s_hdr = (struct ieee802_1x_hdr *) msg;
128 s_key = (struct wpa_eapol_key *) (s_hdr + 1);
129 s_key_data = ((u8 *) (s_key + 1)) + 2;
130
131 wpa_hexdump_key(MSG_DEBUG, "WPA: Plaintext Key Data",
132 s_key_data, key_data_len);
133
134 wpa_hexdump_key(MSG_DEBUG, "WPA: KEK", ptk->kek, ptk->kek_len);
135 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to
136 * to Key Data (exclusive). */
137 aad[0] = buf;
138 aad_len[0] = key_data - buf;
139 if (aes_siv_encrypt(ptk->kek, ptk->kek_len,
140 s_key_data, key_data_len,
141 1, aad, aad_len, key_data) < 0) {
142 os_free(buf);
143 goto out;
144 }
145
146 wpa_hexdump(MSG_DEBUG, "WPA: Encrypted Key Data from SIV",
147 key_data, AES_BLOCK_SIZE + key_data_len);
148
149 os_free(msg);
150 msg = buf;
151 msg_len = buf_len;
152#else /* CONFIG_FILS */
04b6b3ed 153 goto out;
2022f1d0 154#endif /* CONFIG_FILS */
04b6b3ed 155 }
2022f1d0 156
6fc6879b 157 wpa_hexdump(MSG_MSGDUMP, "WPA: TX EAPOL-Key", msg, msg_len);
c93b7e18 158 ret = wpa_sm_ether_send(sm, dest, proto, msg, msg_len);
6fc6879b 159 eapol_sm_notify_tx_eapol_key(sm->eapol);
04b6b3ed 160out:
6fc6879b 161 os_free(msg);
c93b7e18 162 return ret;
6fc6879b
JM		 163}
164
165
166/**
167 * wpa_sm_key_request - Send EAPOL-Key Request
168 * @sm: Pointer to WPA state machine data from wpa_sm_init()
169 * @error: Indicate whether this is an Michael MIC error report
170 * @pairwise: 1 = error report for pairwise packet, 0 = for group packet
6fc6879b
JM		 171 *
172 * Send an EAPOL-Key Request to the current authenticator. This function is
173 * used to request rekeying and it is usually called when a local Michael MIC
174 * failure is detected.
175 */
176void wpa_sm_key_request(struct wpa_sm *sm, int error, int pairwise)
177{
5e3b5197 178 size_t mic_len, hdrlen, rlen;
6fc6879b
JM		 179 struct wpa_eapol_key *reply;
180 int key_info, ver;
6d014ffc 181 u8 bssid[ETH_ALEN], *rbuf, *key_mic, *mic;
6fc6879b 182
929a2ea5
JM		 183 if (sm->key_mgmt == WPA_KEY_MGMT_OSEN ||
184 wpa_key_mgmt_suite_b(sm->key_mgmt))
df0f01d9
JM		 185 ver = WPA_KEY_INFO_TYPE_AKM_DEFINED;
186 else if (wpa_key_mgmt_ft(sm->key_mgmt) ||
187 wpa_key_mgmt_sha256(sm->key_mgmt))
6fc6879b 188 ver = WPA_KEY_INFO_TYPE_AES_128_CMAC;
eb7719ff 189 else if (sm->pairwise_cipher != WPA_CIPHER_TKIP)
6fc6879b
JM		 190 ver = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES;
191 else
192 ver = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4;
193
194 if (wpa_sm_get_bssid(sm, bssid) < 0) {
f049052b
BG		 195 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
196 "Failed to read BSSID for EAPOL-Key request");
6fc6879b
JM		 197 return;
198 }
199
5e3b5197 200 mic_len = wpa_mic_len(sm->key_mgmt);
6d014ffc 201 hdrlen = sizeof(*reply) + mic_len + 2;
6fc6879b 202 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
5e3b5197 203 hdrlen, &rlen, (void *) &reply);
6fc6879b
JM		 204 if (rbuf == NULL)
205 return;
206
a14896e8
JM		 207 reply->type = (sm->proto == WPA_PROTO_RSN ||
208 sm->proto == WPA_PROTO_OSEN) ?
6fc6879b
JM		 209 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
210 key_info = WPA_KEY_INFO_REQUEST | ver;
211 if (sm->ptk_set)
4a26ccda
JM		 212 key_info |= WPA_KEY_INFO_SECURE;
213 if (sm->ptk_set && mic_len)
214 key_info |= WPA_KEY_INFO_MIC;
6fc6879b
JM		 215 if (error)
216 key_info |= WPA_KEY_INFO_ERROR;
217 if (pairwise)
218 key_info |= WPA_KEY_INFO_KEY_TYPE;
219 WPA_PUT_BE16(reply->key_info, key_info);
220 WPA_PUT_BE16(reply->key_length, 0);
221 os_memcpy(reply->replay_counter, sm->request_counter,
222 WPA_REPLAY_COUNTER_LEN);
223 inc_byte_array(sm->request_counter, WPA_REPLAY_COUNTER_LEN);
224
6d014ffc
JM		 225 mic = (u8 *) (reply + 1);
226 WPA_PUT_BE16(mic + mic_len, 0);
5e3b5197
JM		 227 if (!(key_info & WPA_KEY_INFO_MIC))
228 key_mic = NULL;
229 else
6d014ffc 230 key_mic = mic;
6fc6879b 231
f049052b
BG		 232 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
233 "WPA: Sending EAPOL-Key Request (error=%d "
234 "pairwise=%d ptk_set=%d len=%lu)",
235 error, pairwise, sm->ptk_set, (unsigned long) rlen);
1049af7e
JM		 236 wpa_eapol_key_send(sm, &sm->ptk, ver, bssid, ETH_P_EAPOL, rbuf, rlen,
237 key_mic);
6fc6879b
JM		 238}
239
240
b41f2684
CL		 241static void wpa_supplicant_key_mgmt_set_pmk(struct wpa_sm *sm)
242{
243#ifdef CONFIG_IEEE80211R
244 if (sm->key_mgmt == WPA_KEY_MGMT_FT_IEEE8021X) {
245 if (wpa_sm_key_mgmt_set_pmk(sm, sm->xxkey, sm->xxkey_len))
246 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
247 "RSN: Cannot set low order 256 bits of MSK for key management offload");
248 } else {
249#endif /* CONFIG_IEEE80211R */
250 if (wpa_sm_key_mgmt_set_pmk(sm, sm->pmk, sm->pmk_len))
251 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
252 "RSN: Cannot set PMK for key management offload");
253#ifdef CONFIG_IEEE80211R
254 }
255#endif /* CONFIG_IEEE80211R */
256}
257
258
6fc6879b
JM		 259static int wpa_supplicant_get_pmk(struct wpa_sm *sm,
260 const unsigned char *src_addr,
261 const u8 *pmkid)
262{
263 int abort_cached = 0;
264
265 if (pmkid && !sm->cur_pmksa) {
266 /* When using drivers that generate RSN IE, wpa_supplicant may
267 * not have enough time to get the association information
268 * event before receiving this 1/4 message, so try to find a
269 * matching PMKSA cache entry here. */
96efeeb6
JM		 270 sm->cur_pmksa = pmksa_cache_get(sm->pmksa, src_addr, pmkid,
271 NULL);
6fc6879b 272 if (sm->cur_pmksa) {
f049052b
BG		 273 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
274 "RSN: found matching PMKID from PMKSA cache");
6fc6879b 275 } else {
f049052b
BG		 276 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
277 "RSN: no matching PMKID found");
6fc6879b
JM		 278 abort_cached = 1;
279 }
280 }
281
282 if (pmkid && sm->cur_pmksa &&
0d15b69f 283 os_memcmp_const(pmkid, sm->cur_pmksa->pmkid, PMKID_LEN) == 0) {
6fc6879b
JM		 284 wpa_hexdump(MSG_DEBUG, "RSN: matched PMKID", pmkid, PMKID_LEN);
285 wpa_sm_set_pmk_from_pmksa(sm);
286 wpa_hexdump_key(MSG_DEBUG, "RSN: PMK from PMKSA cache",
287 sm->pmk, sm->pmk_len);
288 eapol_sm_notify_cached(sm->eapol);
289#ifdef CONFIG_IEEE80211R
290 sm->xxkey_len = 0;
291#endif /* CONFIG_IEEE80211R */
56586197 292 } else if (wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt) && sm->eapol) {
6fc6879b 293 int res, pmk_len;
207976f0 294
834c5d68 295 if (wpa_key_mgmt_sha384(sm->key_mgmt))
207976f0
JM		 296 pmk_len = PMK_LEN_SUITE_B_192;
297 else
298 pmk_len = PMK_LEN;
299 res = eapol_sm_get_key(sm->eapol, sm->pmk, pmk_len);
6fc6879b 300 if (res) {
207976f0
JM		 301 if (pmk_len == PMK_LEN) {
302 /*
303 * EAP-LEAP is an exception from other EAP
304 * methods: it uses only 16-byte PMK.
305 */
306 res = eapol_sm_get_key(sm->eapol, sm->pmk, 16);
307 pmk_len = 16;
308 }
6fc6879b
JM		 309 } else {
310#ifdef CONFIG_IEEE80211R
311 u8 buf[2 * PMK_LEN];
312 if (eapol_sm_get_key(sm->eapol, buf, 2 * PMK_LEN) == 0)
313 {
314 os_memcpy(sm->xxkey, buf + PMK_LEN, PMK_LEN);
315 sm->xxkey_len = PMK_LEN;
316 os_memset(buf, 0, sizeof(buf));
317 }
318#endif /* CONFIG_IEEE80211R */
319 }
320 if (res == 0) {
a7f10d65 321 struct rsn_pmksa_cache_entry *sa = NULL;
869af307
JM		 322 const u8 *fils_cache_id = NULL;
323
324#ifdef CONFIG_FILS
325 if (sm->fils_cache_id_set)
326 fils_cache_id = sm->fils_cache_id;
327#endif /* CONFIG_FILS */
328
6fc6879b
JM		 329 wpa_hexdump_key(MSG_DEBUG, "WPA: PMK from EAPOL state "
330 "machines", sm->pmk, pmk_len);
331 sm->pmk_len = pmk_len;
b41f2684 332 wpa_supplicant_key_mgmt_set_pmk(sm);
715ed737 333 if (sm->proto == WPA_PROTO_RSN &&
087a1f4e 334 !wpa_key_mgmt_suite_b(sm->key_mgmt) &&
715ed737 335 !wpa_key_mgmt_ft(sm->key_mgmt)) {
a7f10d65 336 sa = pmksa_cache_add(sm->pmksa,
70c93963 337 sm->pmk, pmk_len, NULL,
087a1f4e 338 NULL, 0,
a7f10d65
JM		 339 src_addr, sm->own_addr,
340 sm->network_ctx,
869af307
JM		 341 sm->key_mgmt,
342 fils_cache_id);
f5a51b58 343 }
6fc6879b 344 if (!sm->cur_pmksa && pmkid &&
96efeeb6
JM		 345 pmksa_cache_get(sm->pmksa, src_addr, pmkid, NULL))
346 {
f049052b
BG		 347 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
348 "RSN: the new PMK matches with the "
349 "PMKID");
6fc6879b 350 abort_cached = 0;
bddc51e8
JM		 351 } else if (sa && !sm->cur_pmksa && pmkid) {
352 /*
353 * It looks like the authentication server
354 * derived mismatching MSK. This should not
355 * really happen, but bugs happen.. There is not
356 * much we can do here without knowing what
357 * exactly caused the server to misbehave.
358 */
62417667 359 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
bddc51e8
JM		 360 "RSN: PMKID mismatch - authentication server may have derived different MSK?!");
361 return -1;
6fc6879b 362 }
a7f10d65
JM		 363
364 if (!sm->cur_pmksa)
365 sm->cur_pmksa = sa;
6fc6879b 366 } else {
0f057fb2 367 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
6fc6879b 368 "WPA: Failed to get master session key from "
f049052b
BG		 369 "EAPOL state machines - key handshake "
370 "aborted");
6fc6879b 371 if (sm->cur_pmksa) {
f049052b
BG		 372 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
373 "RSN: Cancelled PMKSA caching "
374 "attempt");
6fc6879b
JM		 375 sm->cur_pmksa = NULL;
376 abort_cached = 1;
1ac2d4a9 377 } else if (!abort_cached) {
6fc6879b
JM		 378 return -1;
379 }
380 }
381 }
382
715ed737 383 if (abort_cached && wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt) &&
087a1f4e 384 !wpa_key_mgmt_suite_b(sm->key_mgmt) &&
a14896e8
JM		 385 !wpa_key_mgmt_ft(sm->key_mgmt) && sm->key_mgmt != WPA_KEY_MGMT_OSEN)
386 {
6fc6879b
JM		 387 /* Send EAPOL-Start to trigger full EAP authentication. */
388 u8 *buf;
389 size_t buflen;
390
f049052b
BG		 391 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
392 "RSN: no PMKSA entry found - trigger "
393 "full EAP authentication");
6fc6879b
JM		 394 buf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_START,
395 NULL, 0, &buflen, NULL);
396 if (buf) {
397 wpa_sm_ether_send(sm, sm->bssid, ETH_P_EAPOL,
398 buf, buflen);
399 os_free(buf);
b4a1256d 400 return -2;
6fc6879b
JM		 401 }
402
403 return -1;
404 }
405
406 return 0;
407}
408
409
410/**
411 * wpa_supplicant_send_2_of_4 - Send message 2 of WPA/RSN 4-Way Handshake
412 * @sm: Pointer to WPA state machine data from wpa_sm_init()
413 * @dst: Destination address for the frame
414 * @key: Pointer to the EAPOL-Key frame header
415 * @ver: Version bits from EAPOL-Key Key Info
416 * @nonce: Nonce value for the EAPOL-Key frame
417 * @wpa_ie: WPA/RSN IE
418 * @wpa_ie_len: Length of the WPA/RSN IE
419 * @ptk: PTK to use for keyed hash and encryption
c93b7e18 420 * Returns: >= 0 on success, < 0 on failure
6fc6879b
JM		 421 */
422int wpa_supplicant_send_2_of_4(struct wpa_sm *sm, const unsigned char *dst,
423 const struct wpa_eapol_key *key,
424 int ver, const u8 *nonce,
425 const u8 *wpa_ie, size_t wpa_ie_len,
426 struct wpa_ptk *ptk)
427{
5e3b5197 428 size_t mic_len, hdrlen, rlen;
6fc6879b 429 struct wpa_eapol_key *reply;
5e3b5197 430 u8 *rbuf, *key_mic;
26e23750 431 u8 *rsn_ie_buf = NULL;
4a26ccda 432 u16 key_info;
6fc6879b
JM		 433
434 if (wpa_ie == NULL) {
f049052b
BG		 435 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "WPA: No wpa_ie set - "
436 "cannot generate msg 2/4");
6fc6879b
JM		 437 return -1;
438 }
439
26e23750
JM		 440#ifdef CONFIG_IEEE80211R
441 if (wpa_key_mgmt_ft(sm->key_mgmt)) {
442 int res;
443
55046414
JM		 444 /*
445 * Add PMKR1Name into RSN IE (PMKID-List) and add MDIE and
446 * FTIE from (Re)Association Response.
447 */
448 rsn_ie_buf = os_malloc(wpa_ie_len + 2 + 2 + PMKID_LEN +
449 sm->assoc_resp_ies_len);
26e23750
JM		 450 if (rsn_ie_buf == NULL)
451 return -1;
452 os_memcpy(rsn_ie_buf, wpa_ie, wpa_ie_len);
59e78c24 453 res = wpa_insert_pmkid(rsn_ie_buf, &wpa_ie_len,
26e23750
JM		 454 sm->pmk_r1_name);
455 if (res < 0) {
456 os_free(rsn_ie_buf);
457 return -1;
458 }
55046414
JM		 459
460 if (sm->assoc_resp_ies) {
461 os_memcpy(rsn_ie_buf + wpa_ie_len, sm->assoc_resp_ies,
462 sm->assoc_resp_ies_len);
463 wpa_ie_len += sm->assoc_resp_ies_len;
464 }
26e23750
JM		 465
466 wpa_ie = rsn_ie_buf;
26e23750
JM		 467 }
468#endif /* CONFIG_IEEE80211R */
469
6fc6879b
JM		 470 wpa_hexdump(MSG_DEBUG, "WPA: WPA IE for msg 2/4", wpa_ie, wpa_ie_len);
471
5e3b5197 472 mic_len = wpa_mic_len(sm->key_mgmt);
6d014ffc 473 hdrlen = sizeof(*reply) + mic_len + 2;
6fc6879b 474 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY,
5e3b5197 475 NULL, hdrlen + wpa_ie_len,
6fc6879b 476 &rlen, (void *) &reply);
26e23750
JM		 477 if (rbuf == NULL) {
478 os_free(rsn_ie_buf);
6fc6879b 479 return -1;
26e23750 480 }
6fc6879b 481
a14896e8
JM		 482 reply->type = (sm->proto == WPA_PROTO_RSN ||
483 sm->proto == WPA_PROTO_OSEN) ?
6fc6879b 484 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
4a26ccda
JM		 485 key_info = ver | WPA_KEY_INFO_KEY_TYPE;
486 if (mic_len)
487 key_info |= WPA_KEY_INFO_MIC;
2022f1d0
JM		 488 else
489 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
4a26ccda 490 WPA_PUT_BE16(reply->key_info, key_info);
a14896e8 491 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN)
6fc6879b
JM		 492 WPA_PUT_BE16(reply->key_length, 0);
493 else
494 os_memcpy(reply->key_length, key->key_length, 2);
495 os_memcpy(reply->replay_counter, key->replay_counter,
496 WPA_REPLAY_COUNTER_LEN);
bc8318ac
JM		 497 wpa_hexdump(MSG_DEBUG, "WPA: Replay Counter", reply->replay_counter,
498 WPA_REPLAY_COUNTER_LEN);
6fc6879b 499
6d014ffc
JM		 500 key_mic = (u8 *) (reply + 1);
501 WPA_PUT_BE16(key_mic + mic_len, wpa_ie_len); /* Key Data Length */
502 os_memcpy(key_mic + mic_len + 2, wpa_ie, wpa_ie_len); /* Key Data */
26e23750 503 os_free(rsn_ie_buf);
6fc6879b
JM		 504
505 os_memcpy(reply->key_nonce, nonce, WPA_NONCE_LEN);
506
f049052b 507 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Sending EAPOL-Key 2/4");
1049af7e
JM		 508 return wpa_eapol_key_send(sm, ptk, ver, dst, ETH_P_EAPOL, rbuf, rlen,
509 key_mic);
6fc6879b
JM		 510}
511
512
513static int wpa_derive_ptk(struct wpa_sm *sm, const unsigned char *src_addr,
98cd3d1c 514 const struct wpa_eapol_key *key, struct wpa_ptk *ptk)
6fc6879b
JM		 515{
516#ifdef CONFIG_IEEE80211R
56586197 517 if (wpa_key_mgmt_ft(sm->key_mgmt))
98cd3d1c 518 return wpa_derive_ptk_ft(sm, src_addr, key, ptk);
6fc6879b
JM		 519#endif /* CONFIG_IEEE80211R */
520
98cd3d1c
JM		 521 return wpa_pmk_to_ptk(sm->pmk, sm->pmk_len, "Pairwise key expansion",
522 sm->own_addr, sm->bssid, sm->snonce,
523 key->key_nonce, ptk, sm->key_mgmt,
524 sm->pairwise_cipher);
6fc6879b
JM		 525}
526
527
528static void wpa_supplicant_process_1_of_4(struct wpa_sm *sm,
529 const unsigned char *src_addr,
530 const struct wpa_eapol_key *key,
e6270129
JM		 531 u16 ver, const u8 *key_data,
532 size_t key_data_len)
6fc6879b
JM		 533{
534 struct wpa_eapol_ie_parse ie;
535 struct wpa_ptk *ptk;
b4a1256d 536 int res;
25ef8529
JM		 537 u8 *kde, *kde_buf = NULL;
538 size_t kde_len;
6fc6879b
JM		 539
540 if (wpa_sm_get_network_ctx(sm) == NULL) {
f049052b
BG		 541 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "WPA: No SSID info "
542 "found (msg 1 of 4)");
6fc6879b
JM		 543 return;
544 }
545
546 wpa_sm_set_state(sm, WPA_4WAY_HANDSHAKE);
f049052b
BG		 547 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: RX message 1 of 4-Way "
548 "Handshake from " MACSTR " (ver=%d)", MAC2STR(src_addr), ver);
6fc6879b
JM		 549
550 os_memset(&ie, 0, sizeof(ie));
551
a14896e8 552 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) {
6fc6879b 553 /* RSN: msg 1/4 should contain PMKID for the selected PMK */
e6270129
JM		 554 wpa_hexdump(MSG_DEBUG, "RSN: msg 1/4 key data",
555 key_data, key_data_len);
556 if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0)
d627a939 557 goto failed;
6fc6879b
JM		 558 if (ie.pmkid) {
559 wpa_hexdump(MSG_DEBUG, "RSN: PMKID from "
560 "Authenticator", ie.pmkid, PMKID_LEN);
561 }
562 }
6fc6879b 563
b4a1256d
JM		 564 res = wpa_supplicant_get_pmk(sm, src_addr, ie.pmkid);
565 if (res == -2) {
f049052b
BG		 566 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "RSN: Do not reply to "
567 "msg 1/4 - requesting full EAP authentication");
b4a1256d
JM		 568 return;
569 }
570 if (res)
83935317 571 goto failed;
6fc6879b
JM		 572
573 if (sm->renew_snonce) {
3642c431 574 if (random_get_bytes(sm->snonce, WPA_NONCE_LEN)) {
0f057fb2 575 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
6fc6879b 576 "WPA: Failed to get random data for SNonce");
83935317 577 goto failed;
6fc6879b
JM		 578 }
579 sm->renew_snonce = 0;
580 wpa_hexdump(MSG_DEBUG, "WPA: Renewed SNonce",
581 sm->snonce, WPA_NONCE_LEN);
582 }
583
584 /* Calculate PTK which will be stored as a temporary PTK until it has
585 * been verified when processing message 3/4. */
586 ptk = &sm->tptk;
587 wpa_derive_ptk(sm, src_addr, key, ptk);
3b9c5176 588 if (sm->pairwise_cipher == WPA_CIPHER_TKIP) {
d2c33b91 589 u8 buf[8];
3b9c5176 590 /* Supplicant: swap tx/rx Mic keys */
98cd3d1c
JM		 591 os_memcpy(buf, &ptk->tk[16], 8);
592 os_memcpy(&ptk->tk[16], &ptk->tk[24], 8);
593 os_memcpy(&ptk->tk[24], buf, 8);
d2c33b91 594 os_memset(buf, 0, sizeof(buf));
3b9c5176 595 }
6fc6879b 596 sm->tptk_set = 1;
ad00d64e 597 sm->tk_to_set = 1;
6fc6879b 598
25ef8529
JM		 599 kde = sm->assoc_wpa_ie;
600 kde_len = sm->assoc_wpa_ie_len;
601
602#ifdef CONFIG_P2P
603 if (sm->p2p) {
604 kde_buf = os_malloc(kde_len + 2 + RSN_SELECTOR_LEN + 1);
605 if (kde_buf) {
606 u8 *pos;
607 wpa_printf(MSG_DEBUG, "P2P: Add IP Address Request KDE "
608 "into EAPOL-Key 2/4");
609 os_memcpy(kde_buf, kde, kde_len);
610 kde = kde_buf;
611 pos = kde + kde_len;
612 *pos++ = WLAN_EID_VENDOR_SPECIFIC;
613 *pos++ = RSN_SELECTOR_LEN + 1;
614 RSN_SELECTOR_PUT(pos, WFA_KEY_DATA_IP_ADDR_REQ);
615 pos += RSN_SELECTOR_LEN;
616 *pos++ = 0x01;
617 kde_len = pos - kde;
618 }
619 }
620#endif /* CONFIG_P2P */
621
6fc6879b 622 if (wpa_supplicant_send_2_of_4(sm, sm->bssid, key, ver, sm->snonce,
c93b7e18 623 kde, kde_len, ptk) < 0)
83935317 624 goto failed;
6fc6879b 625
25ef8529 626 os_free(kde_buf);
6fc6879b 627 os_memcpy(sm->anonce, key->key_nonce, WPA_NONCE_LEN);
83935317
JM		 628 return;
629
630failed:
25ef8529 631 os_free(kde_buf);
83935317 632 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
6fc6879b
JM		 633}
634
635
636static void wpa_sm_start_preauth(void *eloop_ctx, void *timeout_ctx)
637{
638 struct wpa_sm *sm = eloop_ctx;
639 rsn_preauth_candidate_process(sm);
640}
641
642
643static void wpa_supplicant_key_neg_complete(struct wpa_sm *sm,
644 const u8 *addr, int secure)
645{
0f057fb2
JM		 646 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
647 "WPA: Key negotiation completed with "
6fc6879b
JM		 648 MACSTR " [PTK=%s GTK=%s]", MAC2STR(addr),
649 wpa_cipher_txt(sm->pairwise_cipher),
650 wpa_cipher_txt(sm->group_cipher));
6fc6879b
JM		 651 wpa_sm_cancel_auth_timeout(sm);
652 wpa_sm_set_state(sm, WPA_COMPLETED);
653
654 if (secure) {
655 wpa_sm_mlme_setprotection(
656 sm, addr, MLME_SETPROTECTION_PROTECT_TYPE_RX_TX,
657 MLME_SETPROTECTION_KEY_TYPE_PAIRWISE);
658 eapol_sm_notify_portValid(sm->eapol, TRUE);
a1ea1b45
JM		 659 if (wpa_key_mgmt_wpa_psk(sm->key_mgmt) ||
660 sm->key_mgmt == WPA_KEY_MGMT_OWE)
6fc6879b
JM		 661 eapol_sm_notify_eap_success(sm->eapol, TRUE);
662 /*
663 * Start preauthentication after a short wait to avoid a
664 * possible race condition between the data receive and key
665 * configuration after the 4-Way Handshake. This increases the
ffbf1eaa 666 * likelihood of the first preauth EAPOL-Start frame getting to
6fc6879b
JM		 667 * the target AP.
668 */
669 eloop_register_timeout(1, 0, wpa_sm_start_preauth, sm, NULL);
670 }
671
672 if (sm->cur_pmksa && sm->cur_pmksa->opportunistic) {
f049052b
BG		 673 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
674 "RSN: Authenticator accepted "
675 "opportunistic PMKSA entry - marking it valid");
6fc6879b
JM		 676 sm->cur_pmksa->opportunistic = 0;
677 }
678
679#ifdef CONFIG_IEEE80211R
56586197 680 if (wpa_key_mgmt_ft(sm->key_mgmt)) {
6fc6879b 681 /* Prepare for the next transition */
76b7981d 682 wpa_ft_prepare_auth_request(sm, NULL);
6fc6879b
JM		 683 }
684#endif /* CONFIG_IEEE80211R */
685}
686
687
581a8cde
JM		 688static void wpa_sm_rekey_ptk(void *eloop_ctx, void *timeout_ctx)
689{
690 struct wpa_sm *sm = eloop_ctx;
f049052b 691 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Request PTK rekeying");
581a8cde
JM		 692 wpa_sm_key_request(sm, 0, 1);
693}
694
695
6fc6879b
JM		 696static int wpa_supplicant_install_ptk(struct wpa_sm *sm,
697 const struct wpa_eapol_key *key)
698{
699 int keylen, rsclen;
71934751 700 enum wpa_alg alg;
6fc6879b 701 const u8 *key_rsc;
6fc6879b 702
ad00d64e
JM		 703 if (!sm->tk_to_set) {
704 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
705 "WPA: Do not re-install same PTK to the driver");
706 return 0;
707 }
708
f049052b
BG		 709 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
710 "WPA: Installing PTK to the driver");
6fc6879b 711
c3550295 712 if (sm->pairwise_cipher == WPA_CIPHER_NONE) {
f049052b
BG		 713 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Pairwise Cipher "
714 "Suite: NONE - do not use pairwise keys");
6fc6879b 715 return 0;
c3550295
JM		 716 }
717
718 if (!wpa_cipher_valid_pairwise(sm->pairwise_cipher)) {
f049052b
BG		 719 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
720 "WPA: Unsupported pairwise cipher %d",
721 sm->pairwise_cipher);
6fc6879b
JM		 722 return -1;
723 }
724
c3550295
JM		 725 alg = wpa_cipher_to_alg(sm->pairwise_cipher);
726 keylen = wpa_cipher_key_len(sm->pairwise_cipher);
727 rsclen = wpa_cipher_rsc_len(sm->pairwise_cipher);
728
a14896e8 729 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) {
6fc6879b
JM		 730 key_rsc = null_rsc;
731 } else {
732 key_rsc = key->key_rsc;
733 wpa_hexdump(MSG_DEBUG, "WPA: RSC", key_rsc, rsclen);
734 }
735
736 if (wpa_sm_set_key(sm, alg, sm->bssid, 0, 1, key_rsc, rsclen,
98cd3d1c 737 sm->ptk.tk, keylen) < 0) {
f049052b
BG		 738 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
739 "WPA: Failed to set PTK to the "
740 "driver (alg=%d keylen=%d bssid=" MACSTR ")",
741 alg, keylen, MAC2STR(sm->bssid));
6fc6879b
JM		 742 return -1;
743 }
581a8cde 744
7d711541 745 /* TK is not needed anymore in supplicant */
98cd3d1c 746 os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN);
ad00d64e 747 sm->tk_to_set = 0;
7d711541 748
581a8cde
JM		 749 if (sm->wpa_ptk_rekey) {
750 eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
751 eloop_register_timeout(sm->wpa_ptk_rekey, 0, wpa_sm_rekey_ptk,
752 sm, NULL);
753 }
754
6fc6879b
JM		 755 return 0;
756}
757
758
f049052b
BG		 759static int wpa_supplicant_check_group_cipher(struct wpa_sm *sm,
760 int group_cipher,
6fc6879b 761 int keylen, int maxkeylen,
71934751
JM		 762 int *key_rsc_len,
763 enum wpa_alg *alg)
6fc6879b 764{
c3550295 765 int klen;
6fc6879b 766
c3550295
JM		 767 *alg = wpa_cipher_to_alg(group_cipher);
768 if (*alg == WPA_ALG_NONE) {
f049052b
BG		 769 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
770 "WPA: Unsupported Group Cipher %d",
771 group_cipher);
6fc6879b
JM		 772 return -1;
773 }
c3550295 774 *key_rsc_len = wpa_cipher_rsc_len(group_cipher);
6fc6879b 775
c3550295
JM		 776 klen = wpa_cipher_key_len(group_cipher);
777 if (keylen != klen || maxkeylen < klen) {
f049052b
BG		 778 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
779 "WPA: Unsupported %s Group Cipher key length %d (%d)",
780 wpa_cipher_txt(group_cipher), keylen, maxkeylen);
c3550295 781 return -1;
6fc6879b 782 }
c3550295 783 return 0;
6fc6879b
JM		 784}
785
786
787struct wpa_gtk_data {
71934751 788 enum wpa_alg alg;
6fc6879b
JM		 789 int tx, key_rsc_len, keyidx;
790 u8 gtk[32];
791 int gtk_len;
792};
793
794
795static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
796 const struct wpa_gtk_data *gd,
797 const u8 *key_rsc)
798{
799 const u8 *_gtk = gd->gtk;
800 u8 gtk_buf[32];
801
802 wpa_hexdump_key(MSG_DEBUG, "WPA: Group Key", gd->gtk, gd->gtk_len);
f049052b
BG		 803 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
804 "WPA: Installing GTK to the driver (keyidx=%d tx=%d len=%d)",
805 gd->keyidx, gd->tx, gd->gtk_len);
6fc6879b
JM		 806 wpa_hexdump(MSG_DEBUG, "WPA: RSC", key_rsc, gd->key_rsc_len);
807 if (sm->group_cipher == WPA_CIPHER_TKIP) {
808 /* Swap Tx/Rx keys for Michael MIC */
809 os_memcpy(gtk_buf, gd->gtk, 16);
810 os_memcpy(gtk_buf + 16, gd->gtk + 24, 8);
811 os_memcpy(gtk_buf + 24, gd->gtk + 16, 8);
812 _gtk = gtk_buf;
813 }
814 if (sm->pairwise_cipher == WPA_CIPHER_NONE) {
0382097e 815 if (wpa_sm_set_key(sm, gd->alg, NULL,
6fc6879b
JM		 816 gd->keyidx, 1, key_rsc, gd->key_rsc_len,
817 _gtk, gd->gtk_len) < 0) {
f049052b
BG		 818 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
819 "WPA: Failed to set GTK to the driver "
820 "(Group only)");
d2c33b91 821 os_memset(gtk_buf, 0, sizeof(gtk_buf));
6fc6879b
JM		 822 return -1;
823 }
0382097e 824 } else if (wpa_sm_set_key(sm, gd->alg, broadcast_ether_addr,
6fc6879b
JM		 825 gd->keyidx, gd->tx, key_rsc, gd->key_rsc_len,
826 _gtk, gd->gtk_len) < 0) {
f049052b
BG		 827 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
828 "WPA: Failed to set GTK to "
829 "the driver (alg=%d keylen=%d keyidx=%d)",
830 gd->alg, gd->gtk_len, gd->keyidx);
d2c33b91 831 os_memset(gtk_buf, 0, sizeof(gtk_buf));
6fc6879b
JM		 832 return -1;
833 }
d2c33b91 834 os_memset(gtk_buf, 0, sizeof(gtk_buf));
6fc6879b
JM		 835
836 return 0;
837}
838
839
840static int wpa_supplicant_gtk_tx_bit_workaround(const struct wpa_sm *sm,
841 int tx)
842{
843 if (tx && sm->pairwise_cipher != WPA_CIPHER_NONE) {
844 /* Ignore Tx bit for GTK if a pairwise key is used. One AP
845 * seemed to set this bit (incorrectly, since Tx is only when
846 * doing Group Key only APs) and without this workaround, the
847 * data connection does not work because wpa_supplicant
848 * configured non-zero keyidx to be used for unicast. */
f049052b
BG		 849 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
850 "WPA: Tx bit set for GTK, but pairwise "
851 "keys are used - ignore Tx bit");
6fc6879b
JM		 852 return 0;
853 }
854 return tx;
855}
856
857
73ed03f3
MS		 858static int wpa_supplicant_rsc_relaxation(const struct wpa_sm *sm,
859 const u8 *rsc)
860{
861 int rsclen;
862
863 if (!sm->wpa_rsc_relaxation)
864 return 0;
865
866 rsclen = wpa_cipher_rsc_len(sm->group_cipher);
867
868 /*
869 * Try to detect RSC (endian) corruption issue where the AP sends
870 * the RSC bytes in EAPOL-Key message in the wrong order, both if
871 * it's actually a 6-byte field (as it should be) and if it treats
872 * it as an 8-byte field.
873 * An AP model known to have this bug is the Sapido RB-1632.
874 */
875 if (rsclen == 6 && ((rsc[5] && !rsc[0]) || rsc[6] || rsc[7])) {
876 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
877 "RSC %02x%02x%02x%02x%02x%02x%02x%02x is likely bogus, using 0",
878 rsc[0], rsc[1], rsc[2], rsc[3],
879 rsc[4], rsc[5], rsc[6], rsc[7]);
880
881 return 1;
882 }
883
884 return 0;
885}
886
887
6fc6879b
JM		 888static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm,
889 const struct wpa_eapol_key *key,
890 const u8 *gtk, size_t gtk_len,
891 int key_info)
892{
6fc6879b 893 struct wpa_gtk_data gd;
73ed03f3 894 const u8 *key_rsc;
6fc6879b
JM		 895
896 /*
897 * IEEE Std 802.11i-2004 - 8.5.2 EAPOL-Key frames - Figure 43x
898 * GTK KDE format:
899 * KeyID[bits 0-1], Tx [bit 2], Reserved [bits 3-7]
900 * Reserved [bits 0-7]
901 * GTK
902 */
903
904 os_memset(&gd, 0, sizeof(gd));
905 wpa_hexdump_key(MSG_DEBUG, "RSN: received GTK in pairwise handshake",
906 gtk, gtk_len);
907
908 if (gtk_len < 2 || gtk_len - 2 > sizeof(gd.gtk))
909 return -1;
910
911 gd.keyidx = gtk[0] & 0x3;
912 gd.tx = wpa_supplicant_gtk_tx_bit_workaround(sm,
913 !!(gtk[0] & BIT(2)));
914 gtk += 2;
915 gtk_len -= 2;
916
917 os_memcpy(gd.gtk, gtk, gtk_len);
918 gd.gtk_len = gtk_len;
919
73ed03f3
MS		 920 key_rsc = key->key_rsc;
921 if (wpa_supplicant_rsc_relaxation(sm, key->key_rsc))
922 key_rsc = null_rsc;
923
dff1e285
JM		 924 if (sm->group_cipher != WPA_CIPHER_GTK_NOT_USED &&
925 (wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
926 gtk_len, gtk_len,
927 &gd.key_rsc_len, &gd.alg) ||
73ed03f3 928 wpa_supplicant_install_gtk(sm, &gd, key_rsc))) {
f049052b
BG		 929 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
930 "RSN: Failed to install GTK");
d2c33b91 931 os_memset(&gd, 0, sizeof(gd));
6fc6879b
JM		 932 return -1;
933 }
d2c33b91 934 os_memset(&gd, 0, sizeof(gd));
6fc6879b
JM		 935
936 wpa_supplicant_key_neg_complete(sm, sm->bssid,
937 key_info & WPA_KEY_INFO_SECURE);
938 return 0;
6fc6879b
JM		 939}
940
941
942static int ieee80211w_set_keys(struct wpa_sm *sm,
943 struct wpa_eapol_ie_parse *ie)
944{
945#ifdef CONFIG_IEEE80211W
8dd9f9cd 946 if (!wpa_cipher_valid_mgmt_group(sm->mgmt_group_cipher))
6fc6879b
JM		 947 return 0;
948
949 if (ie->igtk) {
8dd9f9cd 950 size_t len;
6fc6879b
JM		 951 const struct wpa_igtk_kde *igtk;
952 u16 keyidx;
8dd9f9cd
JM		 953 len = wpa_cipher_key_len(sm->mgmt_group_cipher);
954 if (ie->igtk_len != WPA_IGTK_KDE_PREFIX_LEN + len)
6fc6879b
JM		 955 return -1;
956 igtk = (const struct wpa_igtk_kde *) ie->igtk;
957 keyidx = WPA_GET_LE16(igtk->keyid);
f049052b
BG		 958 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: IGTK keyid %d "
959 "pn %02x%02x%02x%02x%02x%02x",
960 keyidx, MAC2STR(igtk->pn));
6fc6879b 961 wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK",
8dd9f9cd 962 igtk->igtk, len);
6fc6879b 963 if (keyidx > 4095) {
f049052b
BG		 964 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
965 "WPA: Invalid IGTK KeyID %d", keyidx);
6fc6879b
JM		 966 return -1;
967 }
8dd9f9cd
JM		 968 if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher),
969 broadcast_ether_addr,
6fc6879b 970 keyidx, 0, igtk->pn, sizeof(igtk->pn),
8dd9f9cd 971 igtk->igtk, len) < 0) {
f049052b
BG		 972 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
973 "WPA: Failed to configure IGTK to the driver");
6fc6879b
JM		 974 return -1;
975 }
976 }
977
978 return 0;
979#else /* CONFIG_IEEE80211W */
980 return 0;
981#endif /* CONFIG_IEEE80211W */
982}
983
984
985static void wpa_report_ie_mismatch(struct wpa_sm *sm,
986 const char *reason, const u8 *src_addr,
987 const u8 *wpa_ie, size_t wpa_ie_len,
988 const u8 *rsn_ie, size_t rsn_ie_len)
989{
0f057fb2 990 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "WPA: %s (src=" MACSTR ")",
6fc6879b
JM		 991 reason, MAC2STR(src_addr));
992
993 if (sm->ap_wpa_ie) {
994 wpa_hexdump(MSG_INFO, "WPA: WPA IE in Beacon/ProbeResp",
995 sm->ap_wpa_ie, sm->ap_wpa_ie_len);
996 }
997 if (wpa_ie) {
998 if (!sm->ap_wpa_ie) {
f049052b
BG		 999 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1000 "WPA: No WPA IE in Beacon/ProbeResp");
6fc6879b
JM		 1001 }
1002 wpa_hexdump(MSG_INFO, "WPA: WPA IE in 3/4 msg",
1003 wpa_ie, wpa_ie_len);
1004 }
1005
1006 if (sm->ap_rsn_ie) {
1007 wpa_hexdump(MSG_INFO, "WPA: RSN IE in Beacon/ProbeResp",
1008 sm->ap_rsn_ie, sm->ap_rsn_ie_len);
1009 }
1010 if (rsn_ie) {
1011 if (!sm->ap_rsn_ie) {
f049052b
BG		 1012 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1013 "WPA: No RSN IE in Beacon/ProbeResp");
6fc6879b
JM		 1014 }
1015 wpa_hexdump(MSG_INFO, "WPA: RSN IE in 3/4 msg",
1016 rsn_ie, rsn_ie_len);
1017 }
1018
3da372fa 1019 wpa_sm_deauthenticate(sm, WLAN_REASON_IE_IN_4WAY_DIFFERS);
6fc6879b
JM		 1020}
1021
1022
5af8187e
JM		 1023#ifdef CONFIG_IEEE80211R
1024
1025static int ft_validate_mdie(struct wpa_sm *sm,
1026 const unsigned char *src_addr,
3b4f6dac
JM		 1027 struct wpa_eapol_ie_parse *ie,
1028 const u8 *assoc_resp_mdie)
5af8187e
JM		 1029{
1030 struct rsn_mdie *mdie;
1031
5af8187e
JM		 1032 mdie = (struct rsn_mdie *) (ie->mdie + 2);
1033 if (ie->mdie == NULL || ie->mdie_len < 2 + sizeof(*mdie) ||
1034 os_memcmp(mdie->mobility_domain, sm->mobility_domain,
1035 MOBILITY_DOMAIN_ID_LEN) != 0) {
f049052b
BG		 1036 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: MDIE in msg 3/4 did "
1037 "not match with the current mobility domain");
5af8187e
JM		 1038 return -1;
1039 }
1040
3b4f6dac
JM		 1041 if (assoc_resp_mdie &&
1042 (assoc_resp_mdie[1] != ie->mdie[1] ||
1043 os_memcmp(assoc_resp_mdie, ie->mdie, 2 + ie->mdie[1]) != 0)) {
f049052b 1044 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: MDIE mismatch");
3b4f6dac
JM		 1045 wpa_hexdump(MSG_DEBUG, "FT: MDIE in EAPOL-Key msg 3/4",
1046 ie->mdie, 2 + ie->mdie[1]);
1047 wpa_hexdump(MSG_DEBUG, "FT: MDIE in (Re)Association Response",
1048 assoc_resp_mdie, 2 + assoc_resp_mdie[1]);
1049 return -1;
1050 }
1051
1052 return 0;
1053}
1054
1055
1056static int ft_validate_ftie(struct wpa_sm *sm,
1057 const unsigned char *src_addr,
1058 struct wpa_eapol_ie_parse *ie,
1059 const u8 *assoc_resp_ftie)
1060{
1061 if (ie->ftie == NULL) {
f049052b
BG		 1062 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1063 "FT: No FTIE in EAPOL-Key msg 3/4");
3b4f6dac
JM		 1064 return -1;
1065 }
1066
1067 if (assoc_resp_ftie == NULL)
1068 return 0;
1069
1070 if (assoc_resp_ftie[1] != ie->ftie[1] ||
1071 os_memcmp(assoc_resp_ftie, ie->ftie, 2 + ie->ftie[1]) != 0) {
f049052b 1072 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: FTIE mismatch");
3b4f6dac
JM		 1073 wpa_hexdump(MSG_DEBUG, "FT: FTIE in EAPOL-Key msg 3/4",
1074 ie->ftie, 2 + ie->ftie[1]);
1075 wpa_hexdump(MSG_DEBUG, "FT: FTIE in (Re)Association Response",
1076 assoc_resp_ftie, 2 + assoc_resp_ftie[1]);
1077 return -1;
1078 }
1079
5af8187e
JM		 1080 return 0;
1081}
1082
1083
1084static int ft_validate_rsnie(struct wpa_sm *sm,
1085 const unsigned char *src_addr,
1086 struct wpa_eapol_ie_parse *ie)
1087{
1088 struct wpa_ie_data rsn;
1089
1090 if (!ie->rsn_ie)
1091 return 0;
1092
1093 /*
1094 * Verify that PMKR1Name from EAPOL-Key message 3/4
1095 * matches with the value we derived.
1096 */
1097 if (wpa_parse_wpa_ie_rsn(ie->rsn_ie, ie->rsn_ie_len, &rsn) < 0 ||
1098 rsn.num_pmkid != 1 || rsn.pmkid == NULL) {
f049052b
BG		 1099 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: No PMKR1Name in "
1100 "FT 4-way handshake message 3/4");
5af8187e
JM		 1101 return -1;
1102 }
1103
0d15b69f
JM		 1104 if (os_memcmp_const(rsn.pmkid, sm->pmk_r1_name, WPA_PMK_NAME_LEN) != 0)
1105 {
f049052b
BG		 1106 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1107 "FT: PMKR1Name mismatch in "
1108 "FT 4-way handshake message 3/4");
5af8187e
JM		 1109 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from Authenticator",
1110 rsn.pmkid, WPA_PMK_NAME_LEN);
1111 wpa_hexdump(MSG_DEBUG, "FT: Derived PMKR1Name",
1112 sm->pmk_r1_name, WPA_PMK_NAME_LEN);
1113 return -1;
1114 }
1115
1116 return 0;
1117}
1118
1119
1120static int wpa_supplicant_validate_ie_ft(struct wpa_sm *sm,
1121 const unsigned char *src_addr,
1122 struct wpa_eapol_ie_parse *ie)
1123{
3b4f6dac
JM		 1124 const u8 *pos, *end, *mdie = NULL, *ftie = NULL;
1125
1126 if (sm->assoc_resp_ies) {
1127 pos = sm->assoc_resp_ies;
1128 end = pos + sm->assoc_resp_ies_len;
2461724c
JM		 1129 while (end - pos > 2) {
1130 if (2 + pos[1] > end - pos)
3b4f6dac
JM		 1131 break;
1132 switch (*pos) {
1133 case WLAN_EID_MOBILITY_DOMAIN:
1134 mdie = pos;
1135 break;
1136 case WLAN_EID_FAST_BSS_TRANSITION:
1137 ftie = pos;
1138 break;
1139 }
1140 pos += 2 + pos[1];
1141 }
1142 }
1143
1144 if (ft_validate_mdie(sm, src_addr, ie, mdie) < 0 ||
1145 ft_validate_ftie(sm, src_addr, ie, ftie) < 0 ||
5af8187e
JM		 1146 ft_validate_rsnie(sm, src_addr, ie) < 0)
1147 return -1;
1148
1149 return 0;
1150}
1151
1152#endif /* CONFIG_IEEE80211R */
1153
1154
6fc6879b
JM		 1155static int wpa_supplicant_validate_ie(struct wpa_sm *sm,
1156 const unsigned char *src_addr,
1157 struct wpa_eapol_ie_parse *ie)
1158{
1159 if (sm->ap_wpa_ie == NULL && sm->ap_rsn_ie == NULL) {
f049052b
BG		 1160 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1161 "WPA: No WPA/RSN IE for this AP known. "
1162 "Trying to get from scan results");
6fc6879b 1163 if (wpa_sm_get_beacon_ie(sm) < 0) {
f049052b
BG		 1164 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1165 "WPA: Could not find AP from "
1166 "the scan results");
6fc6879b 1167 } else {
f049052b
BG		 1168 wpa_msg(sm->ctx->msg_ctx, MSG_DEBUG,
1169 "WPA: Found the current AP from "
1170 "updated scan results");
6fc6879b
JM		 1171 }
1172 }
1173
1174 if (ie->wpa_ie == NULL && ie->rsn_ie == NULL &&
1175 (sm->ap_wpa_ie || sm->ap_rsn_ie)) {
1176 wpa_report_ie_mismatch(sm, "IE in 3/4 msg does not match "
1177 "with IE in Beacon/ProbeResp (no IE?)",
1178 src_addr, ie->wpa_ie, ie->wpa_ie_len,
1179 ie->rsn_ie, ie->rsn_ie_len);
1180 return -1;
1181 }
1182
1183 if ((ie->wpa_ie && sm->ap_wpa_ie &&
1184 (ie->wpa_ie_len != sm->ap_wpa_ie_len ||
1185 os_memcmp(ie->wpa_ie, sm->ap_wpa_ie, ie->wpa_ie_len) != 0)) ||
1186 (ie->rsn_ie && sm->ap_rsn_ie &&
26e23750
JM		 1187 wpa_compare_rsn_ie(wpa_key_mgmt_ft(sm->key_mgmt),
1188 sm->ap_rsn_ie, sm->ap_rsn_ie_len,
1189 ie->rsn_ie, ie->rsn_ie_len))) {
6fc6879b
JM		 1190 wpa_report_ie_mismatch(sm, "IE in 3/4 msg does not match "
1191 "with IE in Beacon/ProbeResp",
1192 src_addr, ie->wpa_ie, ie->wpa_ie_len,
1193 ie->rsn_ie, ie->rsn_ie_len);
1194 return -1;
1195 }
1196
1197 if (sm->proto == WPA_PROTO_WPA &&
1198 ie->rsn_ie && sm->ap_rsn_ie == NULL && sm->rsn_enabled) {
1199 wpa_report_ie_mismatch(sm, "Possible downgrade attack "
1200 "detected - RSN was enabled and RSN IE "
1201 "was in msg 3/4, but not in "
1202 "Beacon/ProbeResp",
1203 src_addr, ie->wpa_ie, ie->wpa_ie_len,
1204 ie->rsn_ie, ie->rsn_ie_len);
1205 return -1;
1206 }
1207
1208#ifdef CONFIG_IEEE80211R
5af8187e
JM		 1209 if (wpa_key_mgmt_ft(sm->key_mgmt) &&
1210 wpa_supplicant_validate_ie_ft(sm, src_addr, ie) < 0)
1211 return -1;
6fc6879b
JM		 1212#endif /* CONFIG_IEEE80211R */
1213
1214 return 0;
1215}
1216
1217
1218/**
1219 * wpa_supplicant_send_4_of_4 - Send message 4 of WPA/RSN 4-Way Handshake
1220 * @sm: Pointer to WPA state machine data from wpa_sm_init()
1221 * @dst: Destination address for the frame
1222 * @key: Pointer to the EAPOL-Key frame header
1223 * @ver: Version bits from EAPOL-Key Key Info
1224 * @key_info: Key Info
6fc6879b 1225 * @ptk: PTK to use for keyed hash and encryption
c93b7e18 1226 * Returns: >= 0 on success, < 0 on failure
6fc6879b
JM		 1227 */
1228int wpa_supplicant_send_4_of_4(struct wpa_sm *sm, const unsigned char *dst,
1229 const struct wpa_eapol_key *key,
1230 u16 ver, u16 key_info,
6fc6879b
JM		 1231 struct wpa_ptk *ptk)
1232{
5e3b5197 1233 size_t mic_len, hdrlen, rlen;
6fc6879b 1234 struct wpa_eapol_key *reply;
5e3b5197 1235 u8 *rbuf, *key_mic;
6fc6879b 1236
5e3b5197 1237 mic_len = wpa_mic_len(sm->key_mgmt);
6d014ffc 1238 hdrlen = sizeof(*reply) + mic_len + 2;
6fc6879b 1239 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
5e3b5197 1240 hdrlen, &rlen, (void *) &reply);
6fc6879b
JM		 1241 if (rbuf == NULL)
1242 return -1;
1243
a14896e8
JM		 1244 reply->type = (sm->proto == WPA_PROTO_RSN ||
1245 sm->proto == WPA_PROTO_OSEN) ?
6fc6879b
JM		 1246 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
1247 key_info &= WPA_KEY_INFO_SECURE;
4a26ccda
JM		 1248 key_info |= ver | WPA_KEY_INFO_KEY_TYPE;
1249 if (mic_len)
1250 key_info |= WPA_KEY_INFO_MIC;
2022f1d0
JM		 1251 else
1252 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
6fc6879b 1253 WPA_PUT_BE16(reply->key_info, key_info);
a14896e8 1254 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN)
6fc6879b
JM		 1255 WPA_PUT_BE16(reply->key_length, 0);
1256 else
1257 os_memcpy(reply->key_length, key->key_length, 2);
1258 os_memcpy(reply->replay_counter, key->replay_counter,
1259 WPA_REPLAY_COUNTER_LEN);
1260
6d014ffc
JM		 1261 key_mic = (u8 *) (reply + 1);
1262 WPA_PUT_BE16(key_mic + mic_len, 0);
6fc6879b 1263
f049052b 1264 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Sending EAPOL-Key 4/4");
1049af7e
JM		 1265 return wpa_eapol_key_send(sm, ptk, ver, dst, ETH_P_EAPOL, rbuf, rlen,
1266 key_mic);
6fc6879b
JM		 1267}
1268
1269
1270static void wpa_supplicant_process_3_of_4(struct wpa_sm *sm,
1271 const struct wpa_eapol_key *key,
e6270129
JM		 1272 u16 ver, const u8 *key_data,
1273 size_t key_data_len)
6fc6879b 1274{
e6270129 1275 u16 key_info, keylen;
6fc6879b
JM		 1276 struct wpa_eapol_ie_parse ie;
1277
1278 wpa_sm_set_state(sm, WPA_4WAY_HANDSHAKE);
f049052b
BG		 1279 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: RX message 3 of 4-Way "
1280 "Handshake from " MACSTR " (ver=%d)", MAC2STR(sm->bssid), ver);
6fc6879b
JM		 1281
1282 key_info = WPA_GET_BE16(key->key_info);
1283
e6270129
JM		 1284 wpa_hexdump(MSG_DEBUG, "WPA: IE KeyData", key_data, key_data_len);
1285 if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0)
d627a939 1286 goto failed;
6fc6879b 1287 if (ie.gtk && !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
f049052b
BG		 1288 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1289 "WPA: GTK IE in unencrypted key data");
83935317 1290 goto failed;
6fc6879b
JM		 1291 }
1292#ifdef CONFIG_IEEE80211W
1293 if (ie.igtk && !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
f049052b
BG		 1294 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1295 "WPA: IGTK KDE in unencrypted key data");
83935317 1296 goto failed;
6fc6879b
JM		 1297 }
1298
8dd9f9cd
JM		 1299 if (ie.igtk &&
1300 wpa_cipher_valid_mgmt_group(sm->mgmt_group_cipher) &&
1301 ie.igtk_len != WPA_IGTK_KDE_PREFIX_LEN +
1302 (unsigned int) wpa_cipher_key_len(sm->mgmt_group_cipher)) {
f049052b
BG		 1303 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1304 "WPA: Invalid IGTK KDE length %lu",
1305 (unsigned long) ie.igtk_len);
83935317 1306 goto failed;
6fc6879b
JM		 1307 }
1308#endif /* CONFIG_IEEE80211W */
1309
1310 if (wpa_supplicant_validate_ie(sm, sm->bssid, &ie) < 0)
83935317 1311 goto failed;
6fc6879b
JM		 1312
1313 if (os_memcmp(sm->anonce, key->key_nonce, WPA_NONCE_LEN) != 0) {
f049052b
BG		 1314 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1315 "WPA: ANonce from message 1 of 4-Way Handshake "
1316 "differs from 3 of 4-Way Handshake - drop packet (src="
1317 MACSTR ")", MAC2STR(sm->bssid));
83935317 1318 goto failed;
6fc6879b
JM		 1319 }
1320
1321 keylen = WPA_GET_BE16(key->key_length);
c3550295
JM		 1322 if (keylen != wpa_cipher_key_len(sm->pairwise_cipher)) {
1323 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1324 "WPA: Invalid %s key length %d (src=" MACSTR
1325 ")", wpa_cipher_txt(sm->pairwise_cipher), keylen,
1326 MAC2STR(sm->bssid));
1327 goto failed;
6fc6879b
JM		 1328 }
1329
25ef8529
JM		 1330#ifdef CONFIG_P2P
1331 if (ie.ip_addr_alloc) {
1332 os_memcpy(sm->p2p_ip_addr, ie.ip_addr_alloc, 3 * 4);
1333 wpa_hexdump(MSG_DEBUG, "P2P: IP address info",
1334 sm->p2p_ip_addr, sizeof(sm->p2p_ip_addr));
1335 }
1336#endif /* CONFIG_P2P */
1337
6fc6879b 1338 if (wpa_supplicant_send_4_of_4(sm, sm->bssid, key, ver, key_info,
c93b7e18 1339 &sm->ptk) < 0) {
83935317
JM		 1340 goto failed;
1341 }
6fc6879b
JM		 1342
1343 /* SNonce was successfully used in msg 3/4, so mark it to be renewed
1344 * for the next 4-Way Handshake. If msg 3 is received again, the old
1345 * SNonce will still be used to avoid changing PTK. */
1346 sm->renew_snonce = 1;
1347
1348 if (key_info & WPA_KEY_INFO_INSTALL) {
83935317
JM		 1349 if (wpa_supplicant_install_ptk(sm, key))
1350 goto failed;
6fc6879b
JM		 1351 }
1352
1353 if (key_info & WPA_KEY_INFO_SECURE) {
1354 wpa_sm_mlme_setprotection(
1355 sm, sm->bssid, MLME_SETPROTECTION_PROTECT_TYPE_RX,
1356 MLME_SETPROTECTION_KEY_TYPE_PAIRWISE);
1357 eapol_sm_notify_portValid(sm->eapol, TRUE);
1358 }
1359 wpa_sm_set_state(sm, WPA_GROUP_HANDSHAKE);
1360
dff1e285
JM		 1361 if (sm->group_cipher == WPA_CIPHER_GTK_NOT_USED) {
1362 wpa_supplicant_key_neg_complete(sm, sm->bssid,
1363 key_info & WPA_KEY_INFO_SECURE);
1364 } else if (ie.gtk &&
6fc6879b
JM		 1365 wpa_supplicant_pairwise_gtk(sm, key,
1366 ie.gtk, ie.gtk_len, key_info) < 0) {
f049052b
BG		 1367 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1368 "RSN: Failed to configure GTK");
83935317 1369 goto failed;
6fc6879b
JM		 1370 }
1371
83935317 1372 if (ieee80211w_set_keys(sm, &ie) < 0) {
f049052b
BG		 1373 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1374 "RSN: Failed to configure IGTK");
83935317
JM		 1375 goto failed;
1376 }
1377
392e68e8
SD		 1378 if (ie.gtk)
1379 wpa_sm_set_rekey_offload(sm);
b14a210c 1380
087a1f4e
JM		 1381 if (sm->proto == WPA_PROTO_RSN && wpa_key_mgmt_suite_b(sm->key_mgmt)) {
1382 struct rsn_pmksa_cache_entry *sa;
1383
70c93963 1384 sa = pmksa_cache_add(sm->pmksa, sm->pmk, sm->pmk_len, NULL,
98cd3d1c 1385 sm->ptk.kck, sm->ptk.kck_len,
087a1f4e 1386 sm->bssid, sm->own_addr,
869af307 1387 sm->network_ctx, sm->key_mgmt, NULL);
087a1f4e
JM		 1388 if (!sm->cur_pmksa)
1389 sm->cur_pmksa = sa;
1390 }
1391
761396e4 1392 sm->msg_3_of_4_ok = 1;
83935317
JM		 1393 return;
1394
1395failed:
1396 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
6fc6879b
JM		 1397}
1398
1399
1400static int wpa_supplicant_process_1_of_2_rsn(struct wpa_sm *sm,
1401 const u8 *keydata,
1402 size_t keydatalen,
1403 u16 key_info,
1404 struct wpa_gtk_data *gd)
1405{
1406 int maxkeylen;
1407 struct wpa_eapol_ie_parse ie;
1408
ecbdc1a1
JM		 1409 wpa_hexdump_key(MSG_DEBUG, "RSN: msg 1/2 key data",
1410 keydata, keydatalen);
d627a939
JM		 1411 if (wpa_supplicant_parse_ies(keydata, keydatalen, &ie) < 0)
1412 return -1;
6fc6879b 1413 if (ie.gtk && !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
f049052b
BG		 1414 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1415 "WPA: GTK IE in unencrypted key data");
6fc6879b
JM		 1416 return -1;
1417 }
1418 if (ie.gtk == NULL) {
f049052b
BG		 1419 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1420 "WPA: No GTK IE in Group Key msg 1/2");
6fc6879b
JM		 1421 return -1;
1422 }
1423 maxkeylen = gd->gtk_len = ie.gtk_len - 2;
1424
f049052b 1425 if (wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
6fc6879b
JM		 1426 gd->gtk_len, maxkeylen,
1427 &gd->key_rsc_len, &gd->alg))
1428 return -1;
1429
7cb9bb4d
JM		 1430 wpa_hexdump_key(MSG_DEBUG, "RSN: received GTK in group key handshake",
1431 ie.gtk, ie.gtk_len);
6fc6879b
JM		 1432 gd->keyidx = ie.gtk[0] & 0x3;
1433 gd->tx = wpa_supplicant_gtk_tx_bit_workaround(sm,
1434 !!(ie.gtk[0] & BIT(2)));
1435 if (ie.gtk_len - 2 > sizeof(gd->gtk)) {
f049052b
BG		 1436 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1437 "RSN: Too long GTK in GTK IE (len=%lu)",
1438 (unsigned long) ie.gtk_len - 2);
6fc6879b
JM		 1439 return -1;
1440 }
1441 os_memcpy(gd->gtk, ie.gtk + 2, ie.gtk_len - 2);
1442
1443 if (ieee80211w_set_keys(sm, &ie) < 0)
f049052b
BG		 1444 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1445 "RSN: Failed to configure IGTK");
6fc6879b
JM		 1446
1447 return 0;
1448}
1449
1450
1451static int wpa_supplicant_process_1_of_2_wpa(struct wpa_sm *sm,
1452 const struct wpa_eapol_key *key,
e6270129
JM		 1453 const u8 *key_data,
1454 size_t key_data_len, u16 key_info,
1455 u16 ver, struct wpa_gtk_data *gd)
6fc6879b
JM		 1456{
1457 size_t maxkeylen;
c397eff8 1458 u16 gtk_len;
6fc6879b 1459
c397eff8 1460 gtk_len = WPA_GET_BE16(key->key_length);
e6270129 1461 maxkeylen = key_data_len;
6fc6879b
JM		 1462 if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
1463 if (maxkeylen < 8) {
f049052b
BG		 1464 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1465 "WPA: Too short maxkeylen (%lu)",
1466 (unsigned long) maxkeylen);
6fc6879b
JM		 1467 return -1;
1468 }
1469 maxkeylen -= 8;
1470 }
1471
c397eff8
JM		 1472 if (gtk_len > maxkeylen ||
1473 wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
1474 gtk_len, maxkeylen,
6fc6879b
JM		 1475 &gd->key_rsc_len, &gd->alg))
1476 return -1;
1477
c397eff8 1478 gd->gtk_len = gtk_len;
6fc6879b
JM		 1479 gd->keyidx = (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) >>
1480 WPA_KEY_INFO_KEY_INDEX_SHIFT;
98cd3d1c 1481 if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 && sm->ptk.kek_len == 16) {
7cb53ded
JM		 1482#ifdef CONFIG_NO_RC4
1483 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1484 "WPA: RC4 not supported in the build");
1485 return -1;
1486#else /* CONFIG_NO_RC4 */
d2c33b91 1487 u8 ek[32];
e6270129 1488 if (key_data_len > sizeof(gd->gtk)) {
f049052b
BG		 1489 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1490 "WPA: RC4 key data too long (%lu)",
e6270129 1491 (unsigned long) key_data_len);
6fc6879b
JM		 1492 return -1;
1493 }
d2c33b91 1494 os_memcpy(ek, key->key_iv, 16);
98cd3d1c 1495 os_memcpy(ek + 16, sm->ptk.kek, sm->ptk.kek_len);
e6270129
JM		 1496 os_memcpy(gd->gtk, key_data, key_data_len);
1497 if (rc4_skip(ek, 32, 256, gd->gtk, key_data_len)) {
d2c33b91 1498 os_memset(ek, 0, sizeof(ek));
f049052b
BG		 1499 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
1500 "WPA: RC4 failed");
7a215dfc
JM		 1501 return -1;
1502 }
d2c33b91 1503 os_memset(ek, 0, sizeof(ek));
7cb53ded 1504#endif /* CONFIG_NO_RC4 */
6fc6879b 1505 } else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
e6270129 1506 if (maxkeylen % 8) {
f049052b
BG		 1507 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1508 "WPA: Unsupported AES-WRAP len %lu",
e6270129 1509 (unsigned long) maxkeylen);
6fc6879b
JM		 1510 return -1;
1511 }
1512 if (maxkeylen > sizeof(gd->gtk)) {
f049052b
BG		 1513 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1514 "WPA: AES-WRAP key data "
1515 "too long (keydatalen=%lu maxkeylen=%lu)",
e6270129 1516 (unsigned long) key_data_len,
f049052b 1517 (unsigned long) maxkeylen);
6fc6879b
JM		 1518 return -1;
1519 }
98cd3d1c
JM		 1520 if (aes_unwrap(sm->ptk.kek, sm->ptk.kek_len, maxkeylen / 8,
1521 key_data, gd->gtk)) {
f049052b
BG		 1522 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1523 "WPA: AES unwrap failed - could not decrypt "
1524 "GTK");
6fc6879b
JM		 1525 return -1;
1526 }
1527 } else {
f049052b
BG		 1528 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1529 "WPA: Unsupported key_info type %d", ver);
6fc6879b
JM		 1530 return -1;
1531 }
1532 gd->tx = wpa_supplicant_gtk_tx_bit_workaround(
1533 sm, !!(key_info & WPA_KEY_INFO_TXRX));
1534 return 0;
1535}
1536
1537
1538static int wpa_supplicant_send_2_of_2(struct wpa_sm *sm,
1539 const struct wpa_eapol_key *key,
1540 int ver, u16 key_info)
1541{
5e3b5197 1542 size_t mic_len, hdrlen, rlen;
6fc6879b 1543 struct wpa_eapol_key *reply;
5e3b5197 1544 u8 *rbuf, *key_mic;
6fc6879b 1545
5e3b5197 1546 mic_len = wpa_mic_len(sm->key_mgmt);
6d014ffc 1547 hdrlen = sizeof(*reply) + mic_len + 2;
6fc6879b 1548 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
5e3b5197 1549 hdrlen, &rlen, (void *) &reply);
6fc6879b
JM		 1550 if (rbuf == NULL)
1551 return -1;
1552
a14896e8
JM		 1553 reply->type = (sm->proto == WPA_PROTO_RSN ||
1554 sm->proto == WPA_PROTO_OSEN) ?
6fc6879b
JM		 1555 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
1556 key_info &= WPA_KEY_INFO_KEY_INDEX_MASK;
4a26ccda
JM		 1557 key_info |= ver | WPA_KEY_INFO_SECURE;
1558 if (mic_len)
1559 key_info |= WPA_KEY_INFO_MIC;
6fc6879b 1560 WPA_PUT_BE16(reply->key_info, key_info);
a14896e8 1561 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN)
6fc6879b
JM		 1562 WPA_PUT_BE16(reply->key_length, 0);
1563 else
1564 os_memcpy(reply->key_length, key->key_length, 2);
1565 os_memcpy(reply->replay_counter, key->replay_counter,
1566 WPA_REPLAY_COUNTER_LEN);
1567
6d014ffc
JM		 1568 key_mic = (u8 *) (reply + 1);
1569 WPA_PUT_BE16(key_mic + mic_len, 0);
6fc6879b 1570
f049052b 1571 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Sending EAPOL-Key 2/2");
1049af7e
JM		 1572 return wpa_eapol_key_send(sm, &sm->ptk, ver, sm->bssid, ETH_P_EAPOL,
1573 rbuf, rlen, key_mic);
6fc6879b
JM		 1574}
1575
1576
1577static void wpa_supplicant_process_1_of_2(struct wpa_sm *sm,
1578 const unsigned char *src_addr,
1579 const struct wpa_eapol_key *key,
e6270129
JM		 1580 const u8 *key_data,
1581 size_t key_data_len, u16 ver)
6fc6879b 1582{
e6270129 1583 u16 key_info;
6fc6879b
JM		 1584 int rekey, ret;
1585 struct wpa_gtk_data gd;
73ed03f3 1586 const u8 *key_rsc;
6fc6879b 1587
761396e4
JM		 1588 if (!sm->msg_3_of_4_ok) {
1589 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1590 "WPA: Group Key Handshake started prior to completion of 4-way handshake");
1591 goto failed;
1592 }
1593
6fc6879b
JM		 1594 os_memset(&gd, 0, sizeof(gd));
1595
1596 rekey = wpa_sm_get_state(sm) == WPA_COMPLETED;
f049052b
BG		 1597 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: RX message 1 of Group Key "
1598 "Handshake from " MACSTR " (ver=%d)", MAC2STR(src_addr), ver);
6fc6879b
JM		 1599
1600 key_info = WPA_GET_BE16(key->key_info);
6fc6879b 1601
a14896e8 1602 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) {
e6270129
JM		 1603 ret = wpa_supplicant_process_1_of_2_rsn(sm, key_data,
1604 key_data_len, key_info,
6fc6879b
JM		 1605 &gd);
1606 } else {
e6270129
JM		 1607 ret = wpa_supplicant_process_1_of_2_wpa(sm, key, key_data,
1608 key_data_len,
1609 key_info, ver, &gd);
6fc6879b
JM		 1610 }
1611
1612 wpa_sm_set_state(sm, WPA_GROUP_HANDSHAKE);
1613
1614 if (ret)
83935317 1615 goto failed;
6fc6879b 1616
73ed03f3
MS		 1617 key_rsc = key->key_rsc;
1618 if (wpa_supplicant_rsc_relaxation(sm, key->key_rsc))
1619 key_rsc = null_rsc;
1620
1621 if (wpa_supplicant_install_gtk(sm, &gd, key_rsc) ||
c93b7e18 1622 wpa_supplicant_send_2_of_2(sm, key, ver, key_info) < 0)
83935317 1623 goto failed;
fbfc974c 1624 os_memset(&gd, 0, sizeof(gd));
6fc6879b
JM		 1625
1626 if (rekey) {
0f057fb2 1627 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, "WPA: Group rekeying "
6fc6879b
JM		 1628 "completed with " MACSTR " [GTK=%s]",
1629 MAC2STR(sm->bssid), wpa_cipher_txt(sm->group_cipher));
1630 wpa_sm_cancel_auth_timeout(sm);
1631 wpa_sm_set_state(sm, WPA_COMPLETED);
1632 } else {
1633 wpa_supplicant_key_neg_complete(sm, sm->bssid,
1634 key_info &
1635 WPA_KEY_INFO_SECURE);
1636 }
392e68e8
SD		 1637
1638 wpa_sm_set_rekey_offload(sm);
1639
83935317
JM		 1640 return;
1641
1642failed:
fbfc974c 1643 os_memset(&gd, 0, sizeof(gd));
83935317 1644 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
6fc6879b
JM		 1645}
1646
1647
1648static int wpa_supplicant_verify_eapol_key_mic(struct wpa_sm *sm,
6d014ffc 1649 struct wpa_eapol_key *key,
6fc6879b
JM		 1650 u16 ver,
1651 const u8 *buf, size_t len)
1652{
98cd3d1c 1653 u8 mic[WPA_EAPOL_KEY_MIC_MAX_LEN];
6fc6879b 1654 int ok = 0;
5e3b5197 1655 size_t mic_len = wpa_mic_len(sm->key_mgmt);
6fc6879b 1656
6d014ffc 1657 os_memcpy(mic, key + 1, mic_len);
6fc6879b 1658 if (sm->tptk_set) {
6d014ffc 1659 os_memset(key + 1, 0, mic_len);
98cd3d1c 1660 wpa_eapol_key_mic(sm->tptk.kck, sm->tptk.kck_len, sm->key_mgmt,
6d014ffc
JM		 1661 ver, buf, len, (u8 *) (key + 1));
1662 if (os_memcmp_const(mic, key + 1, mic_len) != 0) {
f049052b
BG		 1663 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1664 "WPA: Invalid EAPOL-Key MIC "
1665 "when using TPTK - ignoring TPTK");
6fc6879b
JM		 1666 } else {
1667 ok = 1;
1668 sm->tptk_set = 0;
1669 sm->ptk_set = 1;
1670 os_memcpy(&sm->ptk, &sm->tptk, sizeof(sm->ptk));
d2c33b91 1671 os_memset(&sm->tptk, 0, sizeof(sm->tptk));
6fc6879b
JM		 1672 }
1673 }
1674
1675 if (!ok && sm->ptk_set) {
6d014ffc 1676 os_memset(key + 1, 0, mic_len);
98cd3d1c 1677 wpa_eapol_key_mic(sm->ptk.kck, sm->ptk.kck_len, sm->key_mgmt,
6d014ffc
JM		 1678 ver, buf, len, (u8 *) (key + 1));
1679 if (os_memcmp_const(mic, key + 1, mic_len) != 0) {
f049052b
BG		 1680 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1681 "WPA: Invalid EAPOL-Key MIC - "
1682 "dropping packet");
6fc6879b
JM		 1683 return -1;
1684 }
1685 ok = 1;
1686 }
1687
1688 if (!ok) {
f049052b
BG		 1689 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1690 "WPA: Could not verify EAPOL-Key MIC - "
1691 "dropping packet");
6fc6879b
JM		 1692 return -1;
1693 }
1694
1695 os_memcpy(sm->rx_replay_counter, key->replay_counter,
1696 WPA_REPLAY_COUNTER_LEN);
1697 sm->rx_replay_counter_set = 1;
1698 return 0;
1699}
1700
1701
1702/* Decrypt RSN EAPOL-Key key data (RC4 or AES-WRAP) */
1703static int wpa_supplicant_decrypt_key_data(struct wpa_sm *sm,
6d014ffc
JM		 1704 struct wpa_eapol_key *key,
1705 size_t mic_len, u16 ver,
e6270129 1706 u8 *key_data, size_t *key_data_len)
6fc6879b 1707{
6fc6879b 1708 wpa_hexdump(MSG_DEBUG, "RSN: encrypted key data",
e6270129 1709 key_data, *key_data_len);
6fc6879b 1710 if (!sm->ptk_set) {
f049052b
BG		 1711 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1712 "WPA: PTK not available, cannot decrypt EAPOL-Key Key "
1713 "Data");
6fc6879b
JM		 1714 return -1;
1715 }
1716
1717 /* Decrypt key data here so that this operation does not need
1718 * to be implemented separately for each message type. */
98cd3d1c 1719 if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 && sm->ptk.kek_len == 16) {
7cb53ded
JM		 1720#ifdef CONFIG_NO_RC4
1721 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1722 "WPA: RC4 not supported in the build");
1723 return -1;
1724#else /* CONFIG_NO_RC4 */
6fc6879b 1725 u8 ek[32];
ef9627cb
JM		 1726
1727 wpa_printf(MSG_DEBUG, "WPA: Decrypt Key Data using RC4");
6fc6879b 1728 os_memcpy(ek, key->key_iv, 16);
98cd3d1c 1729 os_memcpy(ek + 16, sm->ptk.kek, sm->ptk.kek_len);
e6270129 1730 if (rc4_skip(ek, 32, 256, key_data, *key_data_len)) {
d2c33b91 1731 os_memset(ek, 0, sizeof(ek));
f049052b
BG		 1732 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
1733 "WPA: RC4 failed");
7a215dfc
JM		 1734 return -1;
1735 }
d2c33b91 1736 os_memset(ek, 0, sizeof(ek));
7cb53ded 1737#endif /* CONFIG_NO_RC4 */
6fc6879b 1738 } else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
df0f01d9 1739 ver == WPA_KEY_INFO_TYPE_AES_128_CMAC ||
07a5fe82 1740 sm->key_mgmt == WPA_KEY_MGMT_OWE ||
929a2ea5
JM		 1741 sm->key_mgmt == WPA_KEY_MGMT_OSEN ||
1742 wpa_key_mgmt_suite_b(sm->key_mgmt)) {
6fc6879b 1743 u8 *buf;
ef9627cb
JM		 1744
1745 wpa_printf(MSG_DEBUG,
1746 "WPA: Decrypt Key Data using AES-UNWRAP (KEK length %u)",
1747 (unsigned int) sm->ptk.kek_len);
e6270129 1748 if (*key_data_len < 8 || *key_data_len % 8) {
f049052b 1749 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
e6270129
JM		 1750 "WPA: Unsupported AES-WRAP len %u",
1751 (unsigned int) *key_data_len);
6fc6879b
JM		 1752 return -1;
1753 }
e6270129
JM		 1754 *key_data_len -= 8; /* AES-WRAP adds 8 bytes */
1755 buf = os_malloc(*key_data_len);
6fc6879b 1756 if (buf == NULL) {
f049052b
BG		 1757 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1758 "WPA: No memory for AES-UNWRAP buffer");
6fc6879b
JM		 1759 return -1;
1760 }
98cd3d1c 1761 if (aes_unwrap(sm->ptk.kek, sm->ptk.kek_len, *key_data_len / 8,
e6270129 1762 key_data, buf)) {
cd5895e8 1763 bin_clear_free(buf, *key_data_len);
f049052b
BG		 1764 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1765 "WPA: AES unwrap failed - "
1766 "could not decrypt EAPOL-Key key data");
6fc6879b
JM		 1767 return -1;
1768 }
e6270129 1769 os_memcpy(key_data, buf, *key_data_len);
cd5895e8 1770 bin_clear_free(buf, *key_data_len);
6d014ffc 1771 WPA_PUT_BE16(((u8 *) (key + 1)) + mic_len, *key_data_len);
6fc6879b 1772 } else {
f049052b
BG		 1773 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1774 "WPA: Unsupported key_info type %d", ver);
6fc6879b
JM		 1775 return -1;
1776 }
1777 wpa_hexdump_key(MSG_DEBUG, "WPA: decrypted EAPOL-Key key data",
e6270129 1778 key_data, *key_data_len);
6fc6879b
JM		 1779 return 0;
1780}
1781
1782
1783/**
1784 * wpa_sm_aborted_cached - Notify WPA that PMKSA caching was aborted
1785 * @sm: Pointer to WPA state machine data from wpa_sm_init()
1786 */
1787void wpa_sm_aborted_cached(struct wpa_sm *sm)
1788{
1789 if (sm && sm->cur_pmksa) {
f049052b
BG		 1790 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1791 "RSN: Cancelling PMKSA caching attempt");
6fc6879b
JM		 1792 sm->cur_pmksa = NULL;
1793 }
1794}
1795
1796
f049052b 1797static void wpa_eapol_key_dump(struct wpa_sm *sm,
5e3b5197
JM		 1798 const struct wpa_eapol_key *key,
1799 unsigned int key_data_len,
1800 const u8 *mic, unsigned int mic_len)
6fc6879b
JM		 1801{
1802#ifndef CONFIG_NO_STDOUT_DEBUG
1803 u16 key_info = WPA_GET_BE16(key->key_info);
1804
f049052b
BG		 1805 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, " EAPOL-Key type=%d", key->type);
1806 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1807 " key_info 0x%x (ver=%d keyidx=%d rsvd=%d %s%s%s%s%s%s%s%s)",
1808 key_info, key_info & WPA_KEY_INFO_TYPE_MASK,
1809 (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) >>
1810 WPA_KEY_INFO_KEY_INDEX_SHIFT,
1811 (key_info & (BIT(13) | BIT(14) | BIT(15))) >> 13,
1812 key_info & WPA_KEY_INFO_KEY_TYPE ? "Pairwise" : "Group",
1813 key_info & WPA_KEY_INFO_INSTALL ? " Install" : "",
1814 key_info & WPA_KEY_INFO_ACK ? " Ack" : "",
1815 key_info & WPA_KEY_INFO_MIC ? " MIC" : "",
1816 key_info & WPA_KEY_INFO_SECURE ? " Secure" : "",
1817 key_info & WPA_KEY_INFO_ERROR ? " Error" : "",
1818 key_info & WPA_KEY_INFO_REQUEST ? " Request" : "",
1819 key_info & WPA_KEY_INFO_ENCR_KEY_DATA ? " Encr" : "");
1820 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1821 " key_length=%u key_data_length=%u",
5e3b5197 1822 WPA_GET_BE16(key->key_length), key_data_len);
6fc6879b
JM		 1823 wpa_hexdump(MSG_DEBUG, " replay_counter",
1824 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
1825 wpa_hexdump(MSG_DEBUG, " key_nonce", key->key_nonce, WPA_NONCE_LEN);
1826 wpa_hexdump(MSG_DEBUG, " key_iv", key->key_iv, 16);
1827 wpa_hexdump(MSG_DEBUG, " key_rsc", key->key_rsc, 8);
1828 wpa_hexdump(MSG_DEBUG, " key_id (reserved)", key->key_id, 8);
5e3b5197 1829 wpa_hexdump(MSG_DEBUG, " key_mic", mic, mic_len);
6fc6879b
JM		 1830#endif /* CONFIG_NO_STDOUT_DEBUG */
1831}
1832
1833
0ab1dd01
JM		 1834#ifdef CONFIG_FILS
1835static int wpa_supp_aead_decrypt(struct wpa_sm *sm, u8 *buf, size_t buf_len,
1836 size_t *key_data_len)
1837{
1838 struct wpa_ptk *ptk;
1839 struct ieee802_1x_hdr *hdr;
1840 struct wpa_eapol_key *key;
1841 u8 *pos, *tmp;
1842 const u8 *aad[1];
1843 size_t aad_len[1];
1844
1845 if (*key_data_len < AES_BLOCK_SIZE) {
1846 wpa_printf(MSG_INFO, "No room for AES-SIV data in the frame");
1847 return -1;
1848 }
1849
1850 if (sm->tptk_set)
1851 ptk = &sm->tptk;
1852 else if (sm->ptk_set)
1853 ptk = &sm->ptk;
1854 else
1855 return -1;
1856
1857 hdr = (struct ieee802_1x_hdr *) buf;
1858 key = (struct wpa_eapol_key *) (hdr + 1);
1859 pos = (u8 *) (key + 1);
1860 pos += 2; /* Pointing at the Encrypted Key Data field */
1861
1862 tmp = os_malloc(*key_data_len);
1863 if (!tmp)
1864 return -1;
1865
1866 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to
1867 * to Key Data (exclusive). */
1868 aad[0] = buf;
1869 aad_len[0] = pos - buf;
1870 if (aes_siv_decrypt(ptk->kek, ptk->kek_len, pos, *key_data_len,
1871 1, aad, aad_len, tmp) < 0) {
1872 wpa_printf(MSG_INFO, "Invalid AES-SIV data in the frame");
1873 bin_clear_free(tmp, *key_data_len);
1874 return -1;
1875 }
1876
1877 /* AEAD decryption and validation completed successfully */
1878 (*key_data_len) -= AES_BLOCK_SIZE;
1879 wpa_hexdump_key(MSG_DEBUG, "WPA: Decrypted Key Data",
1880 tmp, *key_data_len);
1881
1882 /* Replace Key Data field with the decrypted version */
1883 os_memcpy(pos, tmp, *key_data_len);
1884 pos -= 2; /* Key Data Length field */
1885 WPA_PUT_BE16(pos, *key_data_len);
1886 bin_clear_free(tmp, *key_data_len);
1887
1888 if (sm->tptk_set) {
1889 sm->tptk_set = 0;
1890 sm->ptk_set = 1;
1891 os_memcpy(&sm->ptk, &sm->tptk, sizeof(sm->ptk));
1892 os_memset(&sm->tptk, 0, sizeof(sm->tptk));
1893 }
1894
1895 os_memcpy(sm->rx_replay_counter, key->replay_counter,
1896 WPA_REPLAY_COUNTER_LEN);
1897 sm->rx_replay_counter_set = 1;
1898
1899 return 0;
1900}
1901#endif /* CONFIG_FILS */
1902
1903
6fc6879b
JM		 1904/**
1905 * wpa_sm_rx_eapol - Process received WPA EAPOL frames
1906 * @sm: Pointer to WPA state machine data from wpa_sm_init()
1907 * @src_addr: Source MAC address of the EAPOL packet
1908 * @buf: Pointer to the beginning of the EAPOL data (EAPOL header)
1909 * @len: Length of the EAPOL frame
1910 * Returns: 1 = WPA EAPOL-Key processed, 0 = not a WPA EAPOL-Key, -1 failure
1911 *
1912 * This function is called for each received EAPOL frame. Other than EAPOL-Key
1913 * frames can be skipped if filtering is done elsewhere. wpa_sm_rx_eapol() is
1914 * only processing WPA and WPA2 EAPOL-Key frames.
1915 *
1916 * The received EAPOL-Key packets are validated and valid packets are replied
1917 * to. In addition, key material (PTK, GTK) is configured at the end of a
1918 * successful key handshake.
1919 */
1920int wpa_sm_rx_eapol(struct wpa_sm *sm, const u8 *src_addr,
1921 const u8 *buf, size_t len)
1922{
e6270129 1923 size_t plen, data_len, key_data_len;
d56d7e56 1924 const struct ieee802_1x_hdr *hdr;
6fc6879b
JM		 1925 struct wpa_eapol_key *key;
1926 u16 key_info, ver;
d56d7e56 1927 u8 *tmp = NULL;
6fc6879b
JM		 1928 int ret = -1;
1929 struct wpa_peerkey *peerkey = NULL;
6d014ffc 1930 u8 *mic, *key_data;
5e3b5197 1931 size_t mic_len, keyhdrlen;
6fc6879b
JM		 1932
1933#ifdef CONFIG_IEEE80211R
1934 sm->ft_completed = 0;
1935#endif /* CONFIG_IEEE80211R */
1936
5e3b5197 1937 mic_len = wpa_mic_len(sm->key_mgmt);
6d014ffc 1938 keyhdrlen = sizeof(*key) + mic_len + 2;
5e3b5197
JM		 1939
1940 if (len < sizeof(*hdr) + keyhdrlen) {
f049052b
BG		 1941 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1942 "WPA: EAPOL frame too short to be a WPA "
1943 "EAPOL-Key (len %lu, expecting at least %lu)",
1944 (unsigned long) len,
5e3b5197 1945 (unsigned long) sizeof(*hdr) + keyhdrlen);
6fc6879b
JM		 1946 return 0;
1947 }
1948
d56d7e56 1949 hdr = (const struct ieee802_1x_hdr *) buf;
6fc6879b
JM		 1950 plen = be_to_host16(hdr->length);
1951 data_len = plen + sizeof(*hdr);
f049052b
BG		 1952 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1953 "IEEE 802.1X RX: version=%d type=%d length=%lu",
1954 hdr->version, hdr->type, (unsigned long) plen);
6fc6879b
JM		 1955
1956 if (hdr->version < EAPOL_VERSION) {
1957 /* TODO: backwards compatibility */
1958 }
1959 if (hdr->type != IEEE802_1X_TYPE_EAPOL_KEY) {
f049052b
BG		 1960 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1961 "WPA: EAPOL frame (type %u) discarded, "
6fc6879b
JM		 1962 "not a Key frame", hdr->type);
1963 ret = 0;
1964 goto out;
1965 }
d56d7e56 1966 wpa_hexdump(MSG_MSGDUMP, "WPA: RX EAPOL-Key", buf, len);
5e3b5197 1967 if (plen > len - sizeof(*hdr) || plen < keyhdrlen) {
f049052b
BG		 1968 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1969 "WPA: EAPOL frame payload size %lu "
1970 "invalid (frame size %lu)",
1971 (unsigned long) plen, (unsigned long) len);
6fc6879b
JM		 1972 ret = 0;
1973 goto out;
1974 }
d56d7e56
JM		 1975 if (data_len < len) {
1976 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1977 "WPA: ignoring %lu bytes after the IEEE 802.1X data",
1978 (unsigned long) len - data_len);
1979 }
1980
1981 /*
1982 * Make a copy of the frame since we need to modify the buffer during
1983 * MAC validation and Key Data decryption.
1984 */
a1f11e34 1985 tmp = os_memdup(buf, data_len);
d56d7e56
JM		 1986 if (tmp == NULL)
1987 goto out;
d56d7e56 1988 key = (struct wpa_eapol_key *) (tmp + sizeof(struct ieee802_1x_hdr));
6d014ffc
JM		 1989 mic = (u8 *) (key + 1);
1990 key_data = mic + mic_len + 2;
6fc6879b
JM		 1991
1992 if (key->type != EAPOL_KEY_TYPE_WPA && key->type != EAPOL_KEY_TYPE_RSN)
1993 {
f049052b
BG		 1994 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1995 "WPA: EAPOL-Key type (%d) unknown, discarded",
1996 key->type);
6fc6879b
JM		 1997 ret = 0;
1998 goto out;
1999 }
6fc6879b 2000
6d014ffc
JM		 2001 key_data_len = WPA_GET_BE16(mic + mic_len);
2002 wpa_eapol_key_dump(sm, key, key_data_len, mic, mic_len);
5e3b5197
JM		 2003
2004 if (key_data_len > plen - keyhdrlen) {
d56d7e56
JM		 2005 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, "WPA: Invalid EAPOL-Key "
2006 "frame - key_data overflow (%u > %u)",
e6270129 2007 (unsigned int) key_data_len,
5e3b5197 2008 (unsigned int) (plen - keyhdrlen));
d56d7e56 2009 goto out;
6fc6879b 2010 }
d56d7e56
JM		 2011
2012 eapol_sm_notify_lower_layer_success(sm->eapol, 0);
6fc6879b
JM		 2013 key_info = WPA_GET_BE16(key->key_info);
2014 ver = key_info & WPA_KEY_INFO_TYPE_MASK;
2015 if (ver != WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 &&
a20088e5 2016#if defined(CONFIG_IEEE80211R) || defined(CONFIG_IEEE80211W)
6fc6879b 2017 ver != WPA_KEY_INFO_TYPE_AES_128_CMAC &&
a20088e5 2018#endif /* CONFIG_IEEE80211R || CONFIG_IEEE80211W */
df0f01d9 2019 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES &&
929a2ea5 2020 !wpa_key_mgmt_suite_b(sm->key_mgmt) &&
352caf00 2021 !wpa_key_mgmt_fils(sm->key_mgmt) &&
07a5fe82 2022 sm->key_mgmt != WPA_KEY_MGMT_OWE &&
df0f01d9 2023 sm->key_mgmt != WPA_KEY_MGMT_OSEN) {
f049052b
BG		 2024 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2025 "WPA: Unsupported EAPOL-Key descriptor version %d",
2026 ver);
6fc6879b
JM		 2027 goto out;
2028 }
2029
df0f01d9
JM		 2030 if (sm->key_mgmt == WPA_KEY_MGMT_OSEN &&
2031 ver != WPA_KEY_INFO_TYPE_AKM_DEFINED) {
2032 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2033 "OSEN: Unsupported EAPOL-Key descriptor version %d",
2034 ver);
2035 goto out;
2036 }
2037
352caf00 2038 if ((wpa_key_mgmt_suite_b(sm->key_mgmt) ||
07a5fe82
JM		 2039 wpa_key_mgmt_fils(sm->key_mgmt) ||
2040 sm->key_mgmt == WPA_KEY_MGMT_OWE) &&
929a2ea5
JM		 2041 ver != WPA_KEY_INFO_TYPE_AKM_DEFINED) {
2042 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2043 "RSN: Unsupported EAPOL-Key descriptor version %d (expected AKM defined = 0)",
2044 ver);
2045 goto out;
2046 }
2047
6fc6879b 2048#ifdef CONFIG_IEEE80211R
56586197 2049 if (wpa_key_mgmt_ft(sm->key_mgmt)) {
6fc6879b
JM		 2050 /* IEEE 802.11r uses a new key_info type (AES-128-CMAC). */
2051 if (ver != WPA_KEY_INFO_TYPE_AES_128_CMAC) {
f049052b
BG		 2052 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2053 "FT: AP did not use AES-128-CMAC");
6fc6879b
JM		 2054 goto out;
2055 }
2056 } else
2057#endif /* CONFIG_IEEE80211R */
56586197
JM		 2058#ifdef CONFIG_IEEE80211W
2059 if (wpa_key_mgmt_sha256(sm->key_mgmt)) {
df0f01d9 2060 if (ver != WPA_KEY_INFO_TYPE_AES_128_CMAC &&
929a2ea5 2061 sm->key_mgmt != WPA_KEY_MGMT_OSEN &&
352caf00 2062 !wpa_key_mgmt_fils(sm->key_mgmt) &&
929a2ea5 2063 !wpa_key_mgmt_suite_b(sm->key_mgmt)) {
f049052b
BG		 2064 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2065 "WPA: AP did not use the "
2066 "negotiated AES-128-CMAC");
56586197
JM		 2067 goto out;
2068 }
2069 } else
2070#endif /* CONFIG_IEEE80211W */
6fc6879b 2071 if (sm->pairwise_cipher == WPA_CIPHER_CCMP &&
929a2ea5 2072 !wpa_key_mgmt_suite_b(sm->key_mgmt) &&
352caf00 2073 !wpa_key_mgmt_fils(sm->key_mgmt) &&
07a5fe82 2074 sm->key_mgmt != WPA_KEY_MGMT_OWE &&
6fc6879b 2075 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
f049052b
BG		 2076 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2077 "WPA: CCMP is used, but EAPOL-Key "
2078 "descriptor version (%d) is not 2", ver);
6fc6879b
JM		 2079 if (sm->group_cipher != WPA_CIPHER_CCMP &&
2080 !(key_info & WPA_KEY_INFO_KEY_TYPE)) {
2081 /* Earlier versions of IEEE 802.11i did not explicitly
2082 * require version 2 descriptor for all EAPOL-Key
2083 * packets, so allow group keys to use version 1 if
2084 * CCMP is not used for them. */
f049052b
BG		 2085 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2086 "WPA: Backwards compatibility: allow invalid "
2087 "version for non-CCMP group keys");
9f6a7cdd
JM		 2088 } else if (ver == WPA_KEY_INFO_TYPE_AES_128_CMAC) {
2089 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2090 "WPA: Interoperability workaround: allow incorrect (should have been HMAC-SHA1), but stronger (is AES-128-CMAC), descriptor version to be used");
6fc6879b
JM		 2091 } else
2092 goto out;
801e1173 2093 } else if (sm->pairwise_cipher == WPA_CIPHER_GCMP &&
929a2ea5 2094 !wpa_key_mgmt_suite_b(sm->key_mgmt) &&
801e1173 2095 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
eb7719ff
JM		 2096 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2097 "WPA: GCMP is used, but EAPOL-Key "
2098 "descriptor version (%d) is not 2", ver);
2099 goto out;
2100 }
6fc6879b
JM		 2101
2102#ifdef CONFIG_PEERKEY
2103 for (peerkey = sm->peerkey; peerkey; peerkey = peerkey->next) {
2104 if (os_memcmp(peerkey->addr, src_addr, ETH_ALEN) == 0)
2105 break;
2106 }
2107
2108 if (!(key_info & WPA_KEY_INFO_SMK_MESSAGE) && peerkey) {
2109 if (!peerkey->initiator && peerkey->replay_counter_set &&
2110 os_memcmp(key->replay_counter, peerkey->replay_counter,
2111 WPA_REPLAY_COUNTER_LEN) <= 0) {
f049052b
BG		 2112 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2113 "RSN: EAPOL-Key Replay Counter did not "
2114 "increase (STK) - dropping packet");
6fc6879b
JM		 2115 goto out;
2116 } else if (peerkey->initiator) {
2117 u8 _tmp[WPA_REPLAY_COUNTER_LEN];
2118 os_memcpy(_tmp, key->replay_counter,
2119 WPA_REPLAY_COUNTER_LEN);
2120 inc_byte_array(_tmp, WPA_REPLAY_COUNTER_LEN);
2121 if (os_memcmp(_tmp, peerkey->replay_counter,
2122 WPA_REPLAY_COUNTER_LEN) != 0) {
f049052b
BG		 2123 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2124 "RSN: EAPOL-Key Replay "
2125 "Counter did not match (STK) - "
2126 "dropping packet");
6fc6879b
JM		 2127 goto out;
2128 }
2129 }
2130 }
2131
2132 if (peerkey && peerkey->initiator && (key_info & WPA_KEY_INFO_ACK)) {
f049052b
BG		 2133 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2134 "RSN: Ack bit in key_info from STK peer");
6fc6879b
JM		 2135 goto out;
2136 }
2137#endif /* CONFIG_PEERKEY */
2138
2139 if (!peerkey && sm->rx_replay_counter_set &&
2140 os_memcmp(key->replay_counter, sm->rx_replay_counter,
2141 WPA_REPLAY_COUNTER_LEN) <= 0) {
f049052b
BG		 2142 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2143 "WPA: EAPOL-Key Replay Counter did not increase - "
2144 "dropping packet");
6fc6879b
JM		 2145 goto out;
2146 }
2147
2148 if (!(key_info & (WPA_KEY_INFO_ACK | WPA_KEY_INFO_SMK_MESSAGE))
2149#ifdef CONFIG_PEERKEY
2150 && (peerkey == NULL || !peerkey->initiator)
2151#endif /* CONFIG_PEERKEY */
2152 ) {
f049052b
BG		 2153 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2154 "WPA: No Ack bit in key_info");
6fc6879b
JM		 2155 goto out;
2156 }
2157
2158 if (key_info & WPA_KEY_INFO_REQUEST) {
f049052b
BG		 2159 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2160 "WPA: EAPOL-Key with Request bit - dropped");
6fc6879b
JM		 2161 goto out;
2162 }
2163
2164 if ((key_info & WPA_KEY_INFO_MIC) && !peerkey &&
6d014ffc 2165 wpa_supplicant_verify_eapol_key_mic(sm, key, ver, tmp, data_len))
6fc6879b
JM		 2166 goto out;
2167
2168#ifdef CONFIG_PEERKEY
2169 if ((key_info & WPA_KEY_INFO_MIC) && peerkey &&
6d014ffc 2170 peerkey_verify_eapol_key_mic(sm, peerkey, key, ver, tmp,
5e3b5197 2171 data_len))
6fc6879b
JM		 2172 goto out;
2173#endif /* CONFIG_PEERKEY */
2174
0ab1dd01
JM		 2175#ifdef CONFIG_FILS
2176 if (!mic_len && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
2177 if (wpa_supp_aead_decrypt(sm, tmp, data_len, &key_data_len))
2178 goto out;
2179 }
2180#endif /* CONFIG_FILS */
2181
a14896e8 2182 if ((sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) &&
0ab1dd01 2183 (key_info & WPA_KEY_INFO_ENCR_KEY_DATA) && mic_len) {
6d014ffc
JM		 2184 if (wpa_supplicant_decrypt_key_data(sm, key, mic_len,
2185 ver, key_data,
e6270129 2186 &key_data_len))
d56d7e56 2187 goto out;
6fc6879b
JM		 2188 }
2189
2190 if (key_info & WPA_KEY_INFO_KEY_TYPE) {
2191 if (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) {
f049052b
BG		 2192 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2193 "WPA: Ignored EAPOL-Key (Pairwise) with "
2194 "non-zero key index");
6fc6879b
JM		 2195 goto out;
2196 }
2197 if (peerkey) {
2198 /* PeerKey 4-Way Handshake */
f107d00c
JM		 2199 peerkey_rx_eapol_4way(sm, peerkey, key, key_info, ver,
2200 key_data, key_data_len);
0ab1dd01
JM		 2201 } else if (key_info & (WPA_KEY_INFO_MIC |
2202 WPA_KEY_INFO_ENCR_KEY_DATA)) {
6fc6879b 2203 /* 3/4 4-Way Handshake */
e6270129
JM		 2204 wpa_supplicant_process_3_of_4(sm, key, ver, key_data,
2205 key_data_len);
6fc6879b
JM		 2206 } else {
2207 /* 1/4 4-Way Handshake */
2208 wpa_supplicant_process_1_of_4(sm, src_addr, key,
e6270129
JM		 2209 ver, key_data,
2210 key_data_len);
6fc6879b
JM		 2211 }
2212 } else if (key_info & WPA_KEY_INFO_SMK_MESSAGE) {
2213 /* PeerKey SMK Handshake */
28fb9bb1
JM		 2214 peerkey_rx_eapol_smk(sm, src_addr, key, key_data, key_data_len,
2215 key_info, ver);
6fc6879b 2216 } else {
16eb4858
JM		 2217 if ((mic_len && (key_info & WPA_KEY_INFO_MIC)) ||
2218 (!mic_len && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA))) {
6fc6879b
JM		 2219 /* 1/2 Group Key Handshake */
2220 wpa_supplicant_process_1_of_2(sm, src_addr, key,
e6270129
JM		 2221 key_data, key_data_len,
2222 ver);
6fc6879b 2223 } else {
f049052b 2224 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
16eb4858 2225 "WPA: EAPOL-Key (Group) without Mic/Encr bit - "
f049052b 2226 "dropped");
6fc6879b
JM		 2227 }
2228 }
2229
2230 ret = 1;
2231
2232out:
fbfc974c 2233 bin_clear_free(tmp, data_len);
6fc6879b
JM		 2234 return ret;
2235}
2236
2237
2238#ifdef CONFIG_CTRL_IFACE
6fc6879b
JM		 2239static u32 wpa_key_mgmt_suite(struct wpa_sm *sm)
2240{
2241 switch (sm->key_mgmt) {
2242 case WPA_KEY_MGMT_IEEE8021X:
a14896e8
JM		 2243 return ((sm->proto == WPA_PROTO_RSN ||
2244 sm->proto == WPA_PROTO_OSEN) ?
6fc6879b
JM		 2245 RSN_AUTH_KEY_MGMT_UNSPEC_802_1X :
2246 WPA_AUTH_KEY_MGMT_UNSPEC_802_1X);
2247 case WPA_KEY_MGMT_PSK:
2248 return (sm->proto == WPA_PROTO_RSN ?
2249 RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X :
2250 WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X);
2251#ifdef CONFIG_IEEE80211R
2252 case WPA_KEY_MGMT_FT_IEEE8021X:
2253 return RSN_AUTH_KEY_MGMT_FT_802_1X;
2254 case WPA_KEY_MGMT_FT_PSK:
2255 return RSN_AUTH_KEY_MGMT_FT_PSK;
2256#endif /* CONFIG_IEEE80211R */
56586197
JM		 2257#ifdef CONFIG_IEEE80211W
2258 case WPA_KEY_MGMT_IEEE8021X_SHA256:
2259 return RSN_AUTH_KEY_MGMT_802_1X_SHA256;
2260 case WPA_KEY_MGMT_PSK_SHA256:
2261 return RSN_AUTH_KEY_MGMT_PSK_SHA256;
2262#endif /* CONFIG_IEEE80211W */
369c8d7b
JM		 2263 case WPA_KEY_MGMT_CCKM:
2264 return (sm->proto == WPA_PROTO_RSN ?
2265 RSN_AUTH_KEY_MGMT_CCKM:
2266 WPA_AUTH_KEY_MGMT_CCKM);
6fc6879b
JM		 2267 case WPA_KEY_MGMT_WPA_NONE:
2268 return WPA_AUTH_KEY_MGMT_NONE;
666497c8
JM		 2269 case WPA_KEY_MGMT_IEEE8021X_SUITE_B:
2270 return RSN_AUTH_KEY_MGMT_802_1X_SUITE_B;
5e3b5197
JM		 2271 case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192:
2272 return RSN_AUTH_KEY_MGMT_802_1X_SUITE_B_192;
6fc6879b
JM		 2273 default:
2274 return 0;
2275 }
2276}
2277
2278
6fc6879b
JM		 2279#define RSN_SUITE "%02x-%02x-%02x-%d"
2280#define RSN_SUITE_ARG(s) \
2281((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff
2282
2283/**
2284 * wpa_sm_get_mib - Dump text list of MIB entries
2285 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2286 * @buf: Buffer for the list
2287 * @buflen: Length of the buffer
2288 * Returns: Number of bytes written to buffer
2289 *
2290 * This function is used fetch dot11 MIB variables.
2291 */
2292int wpa_sm_get_mib(struct wpa_sm *sm, char *buf, size_t buflen)
2293{
2294 char pmkid_txt[PMKID_LEN * 2 + 1];
2295 int rsna, ret;
2296 size_t len;
2297
2298 if (sm->cur_pmksa) {
2299 wpa_snprintf_hex(pmkid_txt, sizeof(pmkid_txt),
2300 sm->cur_pmksa->pmkid, PMKID_LEN);
2301 } else
2302 pmkid_txt[0] = '\0';
2303
56586197
JM		 2304 if ((wpa_key_mgmt_wpa_psk(sm->key_mgmt) ||
2305 wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt)) &&
6fc6879b
JM		 2306 sm->proto == WPA_PROTO_RSN)
2307 rsna = 1;
2308 else
2309 rsna = 0;
2310
2311 ret = os_snprintf(buf, buflen,
2312 "dot11RSNAOptionImplemented=TRUE\n"
2313 "dot11RSNAPreauthenticationImplemented=TRUE\n"
2314 "dot11RSNAEnabled=%s\n"
2315 "dot11RSNAPreauthenticationEnabled=%s\n"
2316 "dot11RSNAConfigVersion=%d\n"
2317 "dot11RSNAConfigPairwiseKeysSupported=5\n"
2318 "dot11RSNAConfigGroupCipherSize=%d\n"
2319 "dot11RSNAConfigPMKLifetime=%d\n"
2320 "dot11RSNAConfigPMKReauthThreshold=%d\n"
2321 "dot11RSNAConfigNumberOfPTKSAReplayCounters=1\n"
2322 "dot11RSNAConfigSATimeout=%d\n",
2323 rsna ? "TRUE" : "FALSE",
2324 rsna ? "TRUE" : "FALSE",
2325 RSN_VERSION,
c3550295 2326 wpa_cipher_key_len(sm->group_cipher) * 8,
6fc6879b
JM		 2327 sm->dot11RSNAConfigPMKLifetime,
2328 sm->dot11RSNAConfigPMKReauthThreshold,
2329 sm->dot11RSNAConfigSATimeout);
d85e1fc8 2330 if (os_snprintf_error(buflen, ret))
6fc6879b
JM		 2331 return 0;
2332 len = ret;
2333
2334 ret = os_snprintf(
2335 buf + len, buflen - len,
2336 "dot11RSNAAuthenticationSuiteSelected=" RSN_SUITE "\n"
2337 "dot11RSNAPairwiseCipherSelected=" RSN_SUITE "\n"
2338 "dot11RSNAGroupCipherSelected=" RSN_SUITE "\n"
2339 "dot11RSNAPMKIDUsed=%s\n"
2340 "dot11RSNAAuthenticationSuiteRequested=" RSN_SUITE "\n"
2341 "dot11RSNAPairwiseCipherRequested=" RSN_SUITE "\n"
2342 "dot11RSNAGroupCipherRequested=" RSN_SUITE "\n"
2343 "dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n"
2344 "dot11RSNA4WayHandshakeFailures=%u\n",
2345 RSN_SUITE_ARG(wpa_key_mgmt_suite(sm)),
c3550295
JM		 2346 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto,
2347 sm->pairwise_cipher)),
2348 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto,
2349 sm->group_cipher)),
6fc6879b
JM		 2350 pmkid_txt,
2351 RSN_SUITE_ARG(wpa_key_mgmt_suite(sm)),
c3550295
JM		 2352 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto,
2353 sm->pairwise_cipher)),
2354 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto,
2355 sm->group_cipher)),
6fc6879b 2356 sm->dot11RSNA4WayHandshakeFailures);
1f102d3b 2357 if (!os_snprintf_error(buflen - len, ret))
6fc6879b
JM		 2358 len += ret;
2359
2360 return (int) len;
2361}
2362#endif /* CONFIG_CTRL_IFACE */
2363
2364
2365static void wpa_sm_pmksa_free_cb(struct rsn_pmksa_cache_entry *entry,
6aaac006 2366 void *ctx, enum pmksa_free_reason reason)
6fc6879b
JM		 2367{
2368 struct wpa_sm *sm = ctx;
6aaac006 2369 int deauth = 0;
6fc6879b 2370
6aaac006
DW		 2371 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "RSN: PMKSA cache entry free_cb: "
2372 MACSTR " reason=%d", MAC2STR(entry->aa), reason);
2373
2374 if (sm->cur_pmksa == entry) {
2375 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2376 "RSN: %s current PMKSA entry",
2377 reason == PMKSA_REPLACE ? "replaced" : "removed");
2378 pmksa_cache_clear_current(sm);
2379
2380 /*
2381 * If an entry is simply being replaced, there's no need to
2382 * deauthenticate because it will be immediately re-added.
2383 * This happens when EAP authentication is completed again
2384 * (reauth or failed PMKSA caching attempt).
2385 */
2386 if (reason != PMKSA_REPLACE)
2387 deauth = 1;
2388 }
2389
2390 if (reason == PMKSA_EXPIRE &&
6fc6879b
JM		 2391 (sm->pmk_len == entry->pmk_len &&
2392 os_memcmp(sm->pmk, entry->pmk, sm->pmk_len) == 0)) {
f049052b 2393 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
6aaac006
DW		 2394 "RSN: deauthenticating due to expired PMK");
2395 pmksa_cache_clear_current(sm);
2396 deauth = 1;
2397 }
6fc6879b 2398
6aaac006 2399 if (deauth) {
6fc6879b
JM		 2400 os_memset(sm->pmk, 0, sizeof(sm->pmk));
2401 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
6fc6879b
JM		 2402 }
2403}
2404
2405
2406/**
2407 * wpa_sm_init - Initialize WPA state machine
2408 * @ctx: Context pointer for callbacks; this needs to be an allocated buffer
2409 * Returns: Pointer to the allocated WPA state machine data
2410 *
2411 * This function is used to allocate a new WPA state machine and the returned
2412 * value is passed to all WPA state machine calls.
2413 */
2414struct wpa_sm * wpa_sm_init(struct wpa_sm_ctx *ctx)
2415{
2416 struct wpa_sm *sm;
2417
2418 sm = os_zalloc(sizeof(*sm));
2419 if (sm == NULL)
2420 return NULL;
c5b26e33 2421 dl_list_init(&sm->pmksa_candidates);
6fc6879b
JM		 2422 sm->renew_snonce = 1;
2423 sm->ctx = ctx;
2424
2425 sm->dot11RSNAConfigPMKLifetime = 43200;
2426 sm->dot11RSNAConfigPMKReauthThreshold = 70;
2427 sm->dot11RSNAConfigSATimeout = 60;
2428
2429 sm->pmksa = pmksa_cache_init(wpa_sm_pmksa_free_cb, sm, sm);
2430 if (sm->pmksa == NULL) {
f049052b
BG		 2431 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
2432 "RSN: PMKSA cache initialization failed");
6fc6879b
JM		 2433 os_free(sm);
2434 return NULL;
2435 }
2436
2437 return sm;
2438}
2439
2440
2441/**
2442 * wpa_sm_deinit - Deinitialize WPA state machine
2443 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2444 */
2445void wpa_sm_deinit(struct wpa_sm *sm)
2446{
2447 if (sm == NULL)
2448 return;
2449 pmksa_cache_deinit(sm->pmksa);
2450 eloop_cancel_timeout(wpa_sm_start_preauth, sm, NULL);
581a8cde 2451 eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
6fc6879b
JM		 2452 os_free(sm->assoc_wpa_ie);
2453 os_free(sm->ap_wpa_ie);
2454 os_free(sm->ap_rsn_ie);
71932544 2455 wpa_sm_drop_sa(sm);
6fc6879b
JM		 2456 os_free(sm->ctx);
2457 peerkey_deinit(sm);
55046414
JM		 2458#ifdef CONFIG_IEEE80211R
2459 os_free(sm->assoc_resp_ies);
2460#endif /* CONFIG_IEEE80211R */
651c6a84
JM		 2461#ifdef CONFIG_TESTING_OPTIONS
2462 wpabuf_free(sm->test_assoc_ie);
2463#endif /* CONFIG_TESTING_OPTIONS */
0119d442 2464#ifdef CONFIG_FILS_SK_PFS
76e20f4f 2465 crypto_ecdh_deinit(sm->fils_ecdh);
0119d442 2466#endif /* CONFIG_FILS_SK_PFS */
0a614799
JM		 2467#ifdef CONFIG_OWE
2468 crypto_ecdh_deinit(sm->owe_ecdh);
2469#endif /* CONFIG_OWE */
6fc6879b
JM		 2470 os_free(sm);
2471}
2472
2473
2474/**
2475 * wpa_sm_notify_assoc - Notify WPA state machine about association
2476 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2477 * @bssid: The BSSID of the new association
2478 *
2479 * This function is called to let WPA state machine know that the connection
2480 * was established.
2481 */
2482void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid)
2483{
58a98fb0
JM		 2484 int clear_ptk = 1;
2485
6fc6879b
JM		 2486 if (sm == NULL)
2487 return;
2488
f049052b
BG		 2489 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2490 "WPA: Association event - clear replay counter");
6fc6879b
JM		 2491 os_memcpy(sm->bssid, bssid, ETH_ALEN);
2492 os_memset(sm->rx_replay_counter, 0, WPA_REPLAY_COUNTER_LEN);
2493 sm->rx_replay_counter_set = 0;
2494 sm->renew_snonce = 1;
2495 if (os_memcmp(sm->preauth_bssid, bssid, ETH_ALEN) == 0)
2496 rsn_preauth_deinit(sm);
2497
2498#ifdef CONFIG_IEEE80211R
58a98fb0 2499 if (wpa_ft_is_completed(sm)) {
5d5a9f00
JM		 2500 /*
2501 * Clear portValid to kick EAPOL state machine to re-enter
2502 * AUTHENTICATED state to get the EAPOL port Authorized.
2503 */
2504 eapol_sm_notify_portValid(sm->eapol, FALSE);
6fc6879b
JM		 2505 wpa_supplicant_key_neg_complete(sm, sm->bssid, 1);
2506
2507 /* Prepare for the next transition */
76b7981d 2508 wpa_ft_prepare_auth_request(sm, NULL);
58a98fb0
JM		 2509
2510 clear_ptk = 0;
6fc6879b
JM		 2511 }
2512#endif /* CONFIG_IEEE80211R */
706df429
JM		 2513#ifdef CONFIG_FILS
2514 if (sm->fils_completed) {
2515 /*
2516 * Clear portValid to kick EAPOL state machine to re-enter
2517 * AUTHENTICATED state to get the EAPOL port Authorized.
2518 */
2519 wpa_supplicant_key_neg_complete(sm, sm->bssid, 1);
2520 clear_ptk = 0;
2521 }
2522#endif /* CONFIG_FILS */
58a98fb0
JM		 2523
2524 if (clear_ptk) {
2525 /*
2526 * IEEE 802.11, 8.4.10: Delete PTK SA on (re)association if
2527 * this is not part of a Fast BSS Transition.
2528 */
f049052b 2529 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Clear old PTK");
58a98fb0 2530 sm->ptk_set = 0;
d2c33b91 2531 os_memset(&sm->ptk, 0, sizeof(sm->ptk));
58a98fb0 2532 sm->tptk_set = 0;
d2c33b91 2533 os_memset(&sm->tptk, 0, sizeof(sm->tptk));
58a98fb0 2534 }
40cf22e6
JM		 2535
2536#ifdef CONFIG_TDLS
2537 wpa_tdls_assoc(sm);
2538#endif /* CONFIG_TDLS */
25ef8529
JM		 2539
2540#ifdef CONFIG_P2P
2541 os_memset(sm->p2p_ip_addr, 0, sizeof(sm->p2p_ip_addr));
2542#endif /* CONFIG_P2P */
6fc6879b
JM		 2543}
2544
2545
2546/**
2547 * wpa_sm_notify_disassoc - Notify WPA state machine about disassociation
2548 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2549 *
2550 * This function is called to let WPA state machine know that the connection
2551 * was lost. This will abort any existing pre-authentication session.
2552 */
2553void wpa_sm_notify_disassoc(struct wpa_sm *sm)
2554{
ac8e074e
JM		 2555 eloop_cancel_timeout(wpa_sm_start_preauth, sm, NULL);
2556 eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
77327298 2557 peerkey_deinit(sm);
6fc6879b 2558 rsn_preauth_deinit(sm);
0639970d 2559 pmksa_cache_clear_current(sm);
6fc6879b
JM		 2560 if (wpa_sm_get_state(sm) == WPA_4WAY_HANDSHAKE)
2561 sm->dot11RSNA4WayHandshakeFailures++;
40cf22e6
JM		 2562#ifdef CONFIG_TDLS
2563 wpa_tdls_disassoc(sm);
2564#endif /* CONFIG_TDLS */
706df429
JM		 2565#ifdef CONFIG_FILS
2566 sm->fils_completed = 0;
2567#endif /* CONFIG_FILS */
71932544
JM		 2568
2569 /* Keys are not needed in the WPA state machine anymore */
2570 wpa_sm_drop_sa(sm);
761396e4
JM		 2571
2572 sm->msg_3_of_4_ok = 0;
6fc6879b
JM		 2573}
2574
2575
2576/**
2577 * wpa_sm_set_pmk - Set PMK
2578 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2579 * @pmk: The new PMK
2580 * @pmk_len: The length of the new PMK in bytes
70c93963 2581 * @pmkid: Calculated PMKID
bc26ac50 2582 * @bssid: AA to add into PMKSA cache or %NULL to not cache the PMK
6fc6879b
JM		 2583 *
2584 * Configure the PMK for WPA state machine.
2585 */
bc26ac50 2586void wpa_sm_set_pmk(struct wpa_sm *sm, const u8 *pmk, size_t pmk_len,
70c93963 2587 const u8 *pmkid, const u8 *bssid)
6fc6879b
JM		 2588{
2589 if (sm == NULL)
2590 return;
2591
2592 sm->pmk_len = pmk_len;
2593 os_memcpy(sm->pmk, pmk, pmk_len);
2594
2595#ifdef CONFIG_IEEE80211R
2596 /* Set XXKey to be PSK for FT key derivation */
2597 sm->xxkey_len = pmk_len;
2598 os_memcpy(sm->xxkey, pmk, pmk_len);
2599#endif /* CONFIG_IEEE80211R */
bc26ac50
JM		 2600
2601 if (bssid) {
70c93963 2602 pmksa_cache_add(sm->pmksa, pmk, pmk_len, pmkid, NULL, 0,
087a1f4e 2603 bssid, sm->own_addr,
869af307 2604 sm->network_ctx, sm->key_mgmt, NULL);
bc26ac50 2605 }
6fc6879b
JM		 2606}
2607
2608
2609/**
2610 * wpa_sm_set_pmk_from_pmksa - Set PMK based on the current PMKSA
2611 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2612 *
2613 * Take the PMK from the current PMKSA into use. If no PMKSA is active, the PMK
2614 * will be cleared.
2615 */
2616void wpa_sm_set_pmk_from_pmksa(struct wpa_sm *sm)
2617{
2618 if (sm == NULL)
2619 return;
2620
2621 if (sm->cur_pmksa) {
2622 sm->pmk_len = sm->cur_pmksa->pmk_len;
2623 os_memcpy(sm->pmk, sm->cur_pmksa->pmk, sm->pmk_len);
2624 } else {
2625 sm->pmk_len = PMK_LEN;
2626 os_memset(sm->pmk, 0, PMK_LEN);
2627 }
2628}
2629
2630
2631/**
2632 * wpa_sm_set_fast_reauth - Set fast reauthentication (EAP) enabled/disabled
2633 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2634 * @fast_reauth: Whether fast reauthentication (EAP) is allowed
2635 */
2636void wpa_sm_set_fast_reauth(struct wpa_sm *sm, int fast_reauth)
2637{
2638 if (sm)
2639 sm->fast_reauth = fast_reauth;
2640}
2641
2642
2643/**
2644 * wpa_sm_set_scard_ctx - Set context pointer for smartcard callbacks
2645 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2646 * @scard_ctx: Context pointer for smartcard related callback functions
2647 */
2648void wpa_sm_set_scard_ctx(struct wpa_sm *sm, void *scard_ctx)
2649{
2650 if (sm == NULL)
2651 return;
2652 sm->scard_ctx = scard_ctx;
2653 if (sm->preauth_eapol)
2654 eapol_sm_register_scard_ctx(sm->preauth_eapol, scard_ctx);
2655}
2656
2657
2658/**
2659 * wpa_sm_set_config - Notification of current configration change
2660 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2661 * @config: Pointer to current network configuration
2662 *
2663 * Notify WPA state machine that configuration has changed. config will be
2664 * stored as a backpointer to network configuration. This can be %NULL to clear
2665 * the stored pointed.
2666 */
2667void wpa_sm_set_config(struct wpa_sm *sm, struct rsn_supp_config *config)
2668{
2669 if (!sm)
2670 return;
2671
6fc6879b 2672 if (config) {
886a807f 2673 sm->network_ctx = config->network_ctx;
6fc6879b
JM		 2674 sm->peerkey_enabled = config->peerkey_enabled;
2675 sm->allowed_pairwise_cipher = config->allowed_pairwise_cipher;
2676 sm->proactive_key_caching = config->proactive_key_caching;
2677 sm->eap_workaround = config->eap_workaround;
2678 sm->eap_conf_ctx = config->eap_conf_ctx;
2679 if (config->ssid) {
2680 os_memcpy(sm->ssid, config->ssid, config->ssid_len);
2681 sm->ssid_len = config->ssid_len;
2682 } else
2683 sm->ssid_len = 0;
581a8cde 2684 sm->wpa_ptk_rekey = config->wpa_ptk_rekey;
25ef8529 2685 sm->p2p = config->p2p;
73ed03f3 2686 sm->wpa_rsc_relaxation = config->wpa_rsc_relaxation;
869af307
JM		 2687#ifdef CONFIG_FILS
2688 if (config->fils_cache_id) {
2689 sm->fils_cache_id_set = 1;
2690 os_memcpy(sm->fils_cache_id, config->fils_cache_id,
2691 FILS_CACHE_ID_LEN);
2692 } else {
2693 sm->fils_cache_id_set = 0;
2694 }
2695#endif /* CONFIG_FILS */
6fc6879b 2696 } else {
886a807f 2697 sm->network_ctx = NULL;
6fc6879b
JM		 2698 sm->peerkey_enabled = 0;
2699 sm->allowed_pairwise_cipher = 0;
2700 sm->proactive_key_caching = 0;
2701 sm->eap_workaround = 0;
2702 sm->eap_conf_ctx = NULL;
2703 sm->ssid_len = 0;
581a8cde 2704 sm->wpa_ptk_rekey = 0;
25ef8529 2705 sm->p2p = 0;
73ed03f3 2706 sm->wpa_rsc_relaxation = 0;
6fc6879b 2707 }
6fc6879b
JM		 2708}
2709
2710
2711/**
2712 * wpa_sm_set_own_addr - Set own MAC address
2713 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2714 * @addr: Own MAC address
2715 */
2716void wpa_sm_set_own_addr(struct wpa_sm *sm, const u8 *addr)
2717{
2718 if (sm)
2719 os_memcpy(sm->own_addr, addr, ETH_ALEN);
2720}
2721
2722
2723/**
2724 * wpa_sm_set_ifname - Set network interface name
2725 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2726 * @ifname: Interface name
2727 * @bridge_ifname: Optional bridge interface name (for pre-auth)
2728 */
2729void wpa_sm_set_ifname(struct wpa_sm *sm, const char *ifname,
2730 const char *bridge_ifname)
2731{
2732 if (sm) {
2733 sm->ifname = ifname;
2734 sm->bridge_ifname = bridge_ifname;
2735 }
2736}
2737
2738
2739/**
2740 * wpa_sm_set_eapol - Set EAPOL state machine pointer
2741 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2742 * @eapol: Pointer to EAPOL state machine allocated with eapol_sm_init()
2743 */
2744void wpa_sm_set_eapol(struct wpa_sm *sm, struct eapol_sm *eapol)
2745{
2746 if (sm)
2747 sm->eapol = eapol;
2748}
2749
2750
2751/**
2752 * wpa_sm_set_param - Set WPA state machine parameters
2753 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2754 * @param: Parameter field
2755 * @value: Parameter value
2756 * Returns: 0 on success, -1 on failure
2757 */
2758int wpa_sm_set_param(struct wpa_sm *sm, enum wpa_sm_conf_params param,
2759 unsigned int value)
2760{
2761 int ret = 0;
2762
2763 if (sm == NULL)
2764 return -1;
2765
2766 switch (param) {
2767 case RSNA_PMK_LIFETIME:
2768 if (value > 0)
2769 sm->dot11RSNAConfigPMKLifetime = value;
2770 else
2771 ret = -1;
2772 break;
2773 case RSNA_PMK_REAUTH_THRESHOLD:
2774 if (value > 0 && value <= 100)
2775 sm->dot11RSNAConfigPMKReauthThreshold = value;
2776 else
2777 ret = -1;
2778 break;
2779 case RSNA_SA_TIMEOUT:
2780 if (value > 0)
2781 sm->dot11RSNAConfigSATimeout = value;
2782 else
2783 ret = -1;
2784 break;
2785 case WPA_PARAM_PROTO:
2786 sm->proto = value;
2787 break;
2788 case WPA_PARAM_PAIRWISE:
2789 sm->pairwise_cipher = value;
2790 break;
2791 case WPA_PARAM_GROUP:
2792 sm->group_cipher = value;
2793 break;
2794 case WPA_PARAM_KEY_MGMT:
2795 sm->key_mgmt = value;
2796 break;
2797#ifdef CONFIG_IEEE80211W
2798 case WPA_PARAM_MGMT_GROUP:
2799 sm->mgmt_group_cipher = value;
2800 break;
2801#endif /* CONFIG_IEEE80211W */
2802 case WPA_PARAM_RSN_ENABLED:
2803 sm->rsn_enabled = value;
2804 break;
e820cf95
JM		 2805 case WPA_PARAM_MFP:
2806 sm->mfp = value;
2807 break;
6fc6879b
JM		 2808 default:
2809 break;
2810 }
2811
2812 return ret;
2813}
2814
2815
6fc6879b
JM		 2816/**
2817 * wpa_sm_get_status - Get WPA state machine
2818 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2819 * @buf: Buffer for status information
2820 * @buflen: Maximum buffer length
2821 * @verbose: Whether to include verbose status information
2822 * Returns: Number of bytes written to buf.
2823 *
2824 * Query WPA state machine for status information. This function fills in
2825 * a text area with current status information. If the buffer (buf) is not
2826 * large enough, status information will be truncated to fit the buffer.
2827 */
2828int wpa_sm_get_status(struct wpa_sm *sm, char *buf, size_t buflen,
2829 int verbose)
2830{
2831 char *pos = buf, *end = buf + buflen;
2832 int ret;
2833
2834 ret = os_snprintf(pos, end - pos,
2835 "pairwise_cipher=%s\n"
2836 "group_cipher=%s\n"
2837 "key_mgmt=%s\n",
2838 wpa_cipher_txt(sm->pairwise_cipher),
2839 wpa_cipher_txt(sm->group_cipher),
2840 wpa_key_mgmt_txt(sm->key_mgmt, sm->proto));
d85e1fc8 2841 if (os_snprintf_error(end - pos, ret))
6fc6879b
JM		 2842 return pos - buf;
2843 pos += ret;
13e1d2e2
JM		 2844
2845 if (sm->mfp != NO_MGMT_FRAME_PROTECTION && sm->ap_rsn_ie) {
2846 struct wpa_ie_data rsn;
2847 if (wpa_parse_wpa_ie_rsn(sm->ap_rsn_ie, sm->ap_rsn_ie_len, &rsn)
2848 >= 0 &&
2849 rsn.capabilities & (WPA_CAPABILITY_MFPR |
2850 WPA_CAPABILITY_MFPC)) {
2851 ret = os_snprintf(pos, end - pos, "pmf=%d\n",
2852 (rsn.capabilities &
2853 WPA_CAPABILITY_MFPR) ? 2 : 1);
d85e1fc8 2854 if (os_snprintf_error(end - pos, ret))
13e1d2e2
JM		 2855 return pos - buf;
2856 pos += ret;
2857 }
2858 }
2859
6fc6879b
JM		 2860 return pos - buf;
2861}
2862
2863
ae8535b6
JM		 2864int wpa_sm_pmf_enabled(struct wpa_sm *sm)
2865{
2866 struct wpa_ie_data rsn;
2867
2868 if (sm->mfp == NO_MGMT_FRAME_PROTECTION || !sm->ap_rsn_ie)
2869 return 0;
2870
2871 if (wpa_parse_wpa_ie_rsn(sm->ap_rsn_ie, sm->ap_rsn_ie_len, &rsn) >= 0 &&
2872 rsn.capabilities & (WPA_CAPABILITY_MFPR | WPA_CAPABILITY_MFPC))
2873 return 1;
2874
2875 return 0;
2876}
2877
2878
6fc6879b
JM		 2879/**
2880 * wpa_sm_set_assoc_wpa_ie_default - Generate own WPA/RSN IE from configuration
2881 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2882 * @wpa_ie: Pointer to buffer for WPA/RSN IE
2883 * @wpa_ie_len: Pointer to the length of the wpa_ie buffer
2884 * Returns: 0 on success, -1 on failure
2885 */
2886int wpa_sm_set_assoc_wpa_ie_default(struct wpa_sm *sm, u8 *wpa_ie,
2887 size_t *wpa_ie_len)
2888{
2889 int res;
2890
2891 if (sm == NULL)
2892 return -1;
2893
651c6a84
JM		 2894#ifdef CONFIG_TESTING_OPTIONS
2895 if (sm->test_assoc_ie) {
2896 wpa_printf(MSG_DEBUG,
2897 "TESTING: Replace association WPA/RSN IE");
2898 if (*wpa_ie_len < wpabuf_len(sm->test_assoc_ie))
2899 return -1;
2900 os_memcpy(wpa_ie, wpabuf_head(sm->test_assoc_ie),
2901 wpabuf_len(sm->test_assoc_ie));
2902 res = wpabuf_len(sm->test_assoc_ie);
2903 } else
2904#endif /* CONFIG_TESTING_OPTIONS */
6fc6879b
JM		 2905 res = wpa_gen_wpa_ie(sm, wpa_ie, *wpa_ie_len);
2906 if (res < 0)
2907 return -1;
2908 *wpa_ie_len = res;
2909
2910 wpa_hexdump(MSG_DEBUG, "WPA: Set own WPA IE default",
2911 wpa_ie, *wpa_ie_len);
2912
2913 if (sm->assoc_wpa_ie == NULL) {
2914 /*
2915 * Make a copy of the WPA/RSN IE so that 4-Way Handshake gets
2916 * the correct version of the IE even if PMKSA caching is
2917 * aborted (which would remove PMKID from IE generation).
2918 */
a1f11e34 2919 sm->assoc_wpa_ie = os_memdup(wpa_ie, *wpa_ie_len);
6fc6879b
JM		 2920 if (sm->assoc_wpa_ie == NULL)
2921 return -1;
2922
6fc6879b 2923 sm->assoc_wpa_ie_len = *wpa_ie_len;
0866ed00
JM		 2924 } else {
2925 wpa_hexdump(MSG_DEBUG,
2926 "WPA: Leave previously set WPA IE default",
2927 sm->assoc_wpa_ie, sm->assoc_wpa_ie_len);
6fc6879b
JM		 2928 }
2929
2930 return 0;
2931}
2932
2933
2934/**
2935 * wpa_sm_set_assoc_wpa_ie - Set own WPA/RSN IE from (Re)AssocReq
2936 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2937 * @ie: Pointer to IE data (starting from id)
2938 * @len: IE length
2939 * Returns: 0 on success, -1 on failure
2940 *
2941 * Inform WPA state machine about the WPA/RSN IE used in (Re)Association
2942 * Request frame. The IE will be used to override the default value generated
2943 * with wpa_sm_set_assoc_wpa_ie_default().
2944 */
2945int wpa_sm_set_assoc_wpa_ie(struct wpa_sm *sm, const u8 *ie, size_t len)
2946{
2947 if (sm == NULL)
2948 return -1;
2949
2950 os_free(sm->assoc_wpa_ie);
2951 if (ie == NULL || len == 0) {
f049052b
BG		 2952 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2953 "WPA: clearing own WPA/RSN IE");
6fc6879b
JM		 2954 sm->assoc_wpa_ie = NULL;
2955 sm->assoc_wpa_ie_len = 0;
2956 } else {
2957 wpa_hexdump(MSG_DEBUG, "WPA: set own WPA/RSN IE", ie, len);
a1f11e34 2958 sm->assoc_wpa_ie = os_memdup(ie, len);
6fc6879b
JM		 2959 if (sm->assoc_wpa_ie == NULL)
2960 return -1;
2961
6fc6879b
JM		 2962 sm->assoc_wpa_ie_len = len;
2963 }
2964
2965 return 0;
2966}
2967
2968
2969/**
2970 * wpa_sm_set_ap_wpa_ie - Set AP WPA IE from Beacon/ProbeResp
2971 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2972 * @ie: Pointer to IE data (starting from id)
2973 * @len: IE length
2974 * Returns: 0 on success, -1 on failure
2975 *
2976 * Inform WPA state machine about the WPA IE used in Beacon / Probe Response
2977 * frame.
2978 */
2979int wpa_sm_set_ap_wpa_ie(struct wpa_sm *sm, const u8 *ie, size_t len)
2980{
2981 if (sm == NULL)
2982 return -1;
2983
2984 os_free(sm->ap_wpa_ie);
2985 if (ie == NULL || len == 0) {
f049052b
BG		 2986 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2987 "WPA: clearing AP WPA IE");
6fc6879b
JM		 2988 sm->ap_wpa_ie = NULL;
2989 sm->ap_wpa_ie_len = 0;
2990 } else {
2991 wpa_hexdump(MSG_DEBUG, "WPA: set AP WPA IE", ie, len);
a1f11e34 2992 sm->ap_wpa_ie = os_memdup(ie, len);
6fc6879b
JM		 2993 if (sm->ap_wpa_ie == NULL)
2994 return -1;
2995
6fc6879b
JM		 2996 sm->ap_wpa_ie_len = len;
2997 }
2998
2999 return 0;
3000}
3001
3002
3003/**
3004 * wpa_sm_set_ap_rsn_ie - Set AP RSN IE from Beacon/ProbeResp
3005 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3006 * @ie: Pointer to IE data (starting from id)
3007 * @len: IE length
3008 * Returns: 0 on success, -1 on failure
3009 *
3010 * Inform WPA state machine about the RSN IE used in Beacon / Probe Response
3011 * frame.
3012 */
3013int wpa_sm_set_ap_rsn_ie(struct wpa_sm *sm, const u8 *ie, size_t len)
3014{
3015 if (sm == NULL)
3016 return -1;
3017
3018 os_free(sm->ap_rsn_ie);
3019 if (ie == NULL || len == 0) {
f049052b
BG		 3020 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3021 "WPA: clearing AP RSN IE");
6fc6879b
JM		 3022 sm->ap_rsn_ie = NULL;
3023 sm->ap_rsn_ie_len = 0;
3024 } else {
3025 wpa_hexdump(MSG_DEBUG, "WPA: set AP RSN IE", ie, len);
a1f11e34 3026 sm->ap_rsn_ie = os_memdup(ie, len);
6fc6879b
JM		 3027 if (sm->ap_rsn_ie == NULL)
3028 return -1;
3029
6fc6879b
JM		 3030 sm->ap_rsn_ie_len = len;
3031 }
3032
3033 return 0;
3034}
3035
3036
3037/**
3038 * wpa_sm_parse_own_wpa_ie - Parse own WPA/RSN IE
3039 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3040 * @data: Pointer to data area for parsing results
3041 * Returns: 0 on success, -1 if IE is not known, or -2 on parsing failure
3042 *
3043 * Parse the contents of the own WPA or RSN IE from (Re)AssocReq and write the
3044 * parsed data into data.
3045 */
3046int wpa_sm_parse_own_wpa_ie(struct wpa_sm *sm, struct wpa_ie_data *data)
3047{
2a522e71
JM		 3048 if (sm == NULL)
3049 return -1;
3050
3051 if (sm->assoc_wpa_ie == NULL) {
f049052b
BG		 3052 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3053 "WPA: No WPA/RSN IE available from association info");
6fc6879b
JM		 3054 return -1;
3055 }
3056 if (wpa_parse_wpa_ie(sm->assoc_wpa_ie, sm->assoc_wpa_ie_len, data))
3057 return -2;
3058 return 0;
3059}
540264a7
JM		 3060
3061
3062int wpa_sm_pmksa_cache_list(struct wpa_sm *sm, char *buf, size_t len)
3063{
540264a7 3064 return pmksa_cache_list(sm->pmksa, buf, len);
540264a7 3065}
32d5295f
JM		 3066
3067
3459381d
JM		 3068struct rsn_pmksa_cache_entry * wpa_sm_pmksa_cache_head(struct wpa_sm *sm)
3069{
3070 return pmksa_cache_head(sm->pmksa);
3071}
3072
3073
3074struct rsn_pmksa_cache_entry *
3075wpa_sm_pmksa_cache_add_entry(struct wpa_sm *sm,
3076 struct rsn_pmksa_cache_entry * entry)
3077{
3078 return pmksa_cache_add_entry(sm->pmksa, entry);
3079}
3080
3081
32d5295f
JM		 3082void wpa_sm_drop_sa(struct wpa_sm *sm)
3083{
f049052b 3084 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Clear old PMK and PTK");
32d5295f
JM		 3085 sm->ptk_set = 0;
3086 sm->tptk_set = 0;
3087 os_memset(sm->pmk, 0, sizeof(sm->pmk));
3088 os_memset(&sm->ptk, 0, sizeof(sm->ptk));
3089 os_memset(&sm->tptk, 0, sizeof(sm->tptk));
71932544
JM		 3090#ifdef CONFIG_IEEE80211R
3091 os_memset(sm->xxkey, 0, sizeof(sm->xxkey));
3092 os_memset(sm->pmk_r0, 0, sizeof(sm->pmk_r0));
3093 os_memset(sm->pmk_r1, 0, sizeof(sm->pmk_r1));
3094#endif /* CONFIG_IEEE80211R */
32d5295f 3095}
0d7b4409
JM		 3096
3097
3098int wpa_sm_has_ptk(struct wpa_sm *sm)
3099{
3100 if (sm == NULL)
3101 return 0;
3102 return sm->ptk_set;
3103}
b14a210c
JB		 3104
3105
3106void wpa_sm_update_replay_ctr(struct wpa_sm *sm, const u8 *replay_ctr)
3107{
3108 os_memcpy(sm->rx_replay_counter, replay_ctr, WPA_REPLAY_COUNTER_LEN);
3109}
d8a790b9
JM		 3110
3111
3112void wpa_sm_pmksa_cache_flush(struct wpa_sm *sm, void *network_ctx)
3113{
4033935d 3114 pmksa_cache_flush(sm->pmksa, network_ctx, NULL, 0);
d8a790b9 3115}
75cad1a0
XC		 3116
3117
ad3872a3 3118#ifdef CONFIG_WNM
75cad1a0
XC		 3119int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf)
3120{
75cad1a0
XC		 3121 u16 keyinfo;
3122 u8 keylen; /* plaintext key len */
75cad1a0
XC		 3123 u8 *key_rsc;
3124
75cad1a0 3125 if (subelem_id == WNM_SLEEP_SUBELEM_GTK) {
d2c33b91
JM		 3126 struct wpa_gtk_data gd;
3127
3128 os_memset(&gd, 0, sizeof(gd));
3129 keylen = wpa_cipher_key_len(sm->group_cipher);
3130 gd.key_rsc_len = wpa_cipher_rsc_len(sm->group_cipher);
3131 gd.alg = wpa_cipher_to_alg(sm->group_cipher);
3132 if (gd.alg == WPA_ALG_NONE) {
3133 wpa_printf(MSG_DEBUG, "Unsupported group cipher suite");
3134 return -1;
3135 }
3136
75cad1a0 3137 key_rsc = buf + 5;
68db9ab0 3138 keyinfo = WPA_GET_LE16(buf + 2);
75cad1a0
XC		 3139 gd.gtk_len = keylen;
3140 if (gd.gtk_len != buf[4]) {
3141 wpa_printf(MSG_DEBUG, "GTK len mismatch len %d vs %d",
3142 gd.gtk_len, buf[4]);
3143 return -1;
3144 }
3145 gd.keyidx = keyinfo & 0x03; /* B0 - B1 */
3146 gd.tx = wpa_supplicant_gtk_tx_bit_workaround(
3147 sm, !!(keyinfo & WPA_KEY_INFO_TXRX));
3148
68db9ab0 3149 os_memcpy(gd.gtk, buf + 13, gd.gtk_len);
75cad1a0
XC		 3150
3151 wpa_hexdump_key(MSG_DEBUG, "Install GTK (WNM SLEEP)",
3152 gd.gtk, gd.gtk_len);
3153 if (wpa_supplicant_install_gtk(sm, &gd, key_rsc)) {
d2c33b91 3154 os_memset(&gd, 0, sizeof(gd));
75cad1a0
XC		 3155 wpa_printf(MSG_DEBUG, "Failed to install the GTK in "
3156 "WNM mode");
3157 return -1;
3158 }
d2c33b91 3159 os_memset(&gd, 0, sizeof(gd));
75cad1a0
XC		 3160#ifdef CONFIG_IEEE80211W
3161 } else if (subelem_id == WNM_SLEEP_SUBELEM_IGTK) {
d2c33b91
JM		 3162 struct wpa_igtk_kde igd;
3163 u16 keyidx;
3164
3165 os_memset(&igd, 0, sizeof(igd));
8dd9f9cd 3166 keylen = wpa_cipher_key_len(sm->mgmt_group_cipher);
75cad1a0
XC		 3167 os_memcpy(igd.keyid, buf + 2, 2);
3168 os_memcpy(igd.pn, buf + 4, 6);
3169
3170 keyidx = WPA_GET_LE16(igd.keyid);
8dd9f9cd 3171 os_memcpy(igd.igtk, buf + 10, keylen);
75cad1a0
XC		 3172
3173 wpa_hexdump_key(MSG_DEBUG, "Install IGTK (WNM SLEEP)",
8dd9f9cd
JM		 3174 igd.igtk, keylen);
3175 if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher),
3176 broadcast_ether_addr,
75cad1a0 3177 keyidx, 0, igd.pn, sizeof(igd.pn),
8dd9f9cd 3178 igd.igtk, keylen) < 0) {
75cad1a0
XC		 3179 wpa_printf(MSG_DEBUG, "Failed to install the IGTK in "
3180 "WNM mode");
d2c33b91 3181 os_memset(&igd, 0, sizeof(igd));
75cad1a0
XC		 3182 return -1;
3183 }
d2c33b91 3184 os_memset(&igd, 0, sizeof(igd));
75cad1a0
XC		 3185#endif /* CONFIG_IEEE80211W */
3186 } else {
3187 wpa_printf(MSG_DEBUG, "Unknown element id");
3188 return -1;
3189 }
3190
3191 return 0;
3192}
ad3872a3 3193#endif /* CONFIG_WNM */
db76aa64
JM		 3194
3195
3196#ifdef CONFIG_PEERKEY
3197int wpa_sm_rx_eapol_peerkey(struct wpa_sm *sm, const u8 *src_addr,
3198 const u8 *buf, size_t len)
3199{
3200 struct wpa_peerkey *peerkey;
3201
3202 for (peerkey = sm->peerkey; peerkey; peerkey = peerkey->next) {
3203 if (os_memcmp(peerkey->addr, src_addr, ETH_ALEN) == 0)
3204 break;
3205 }
3206
3207 if (!peerkey)
3208 return 0;
3209
3210 wpa_sm_rx_eapol(sm, src_addr, buf, len);
3211
3212 return 1;
3213}
3214#endif /* CONFIG_PEERKEY */
25ef8529
JM		 3215
3216
3217#ifdef CONFIG_P2P
3218
3219int wpa_sm_get_p2p_ip_addr(struct wpa_sm *sm, u8 *buf)
3220{
3221 if (sm == NULL || WPA_GET_BE32(sm->p2p_ip_addr) == 0)
3222 return -1;
3223 os_memcpy(buf, sm->p2p_ip_addr, 3 * 4);
3224 return 0;
3225}
3226
3227#endif /* CONFIG_P2P */
b41f2684
CL		 3228
3229
3230void wpa_sm_set_rx_replay_ctr(struct wpa_sm *sm, const u8 *rx_replay_counter)
3231{
3232 if (rx_replay_counter == NULL)
3233 return;
3234
3235 os_memcpy(sm->rx_replay_counter, rx_replay_counter,
3236 WPA_REPLAY_COUNTER_LEN);
3237 sm->rx_replay_counter_set = 1;
3238 wpa_printf(MSG_DEBUG, "Updated key replay counter");
3239}
3240
3241
98cd3d1c
JM		 3242void wpa_sm_set_ptk_kck_kek(struct wpa_sm *sm,
3243 const u8 *ptk_kck, size_t ptk_kck_len,
3244 const u8 *ptk_kek, size_t ptk_kek_len)
b41f2684 3245{
98cd3d1c
JM		 3246 if (ptk_kck && ptk_kck_len <= WPA_KCK_MAX_LEN) {
3247 os_memcpy(sm->ptk.kck, ptk_kck, ptk_kck_len);
3248 sm->ptk.kck_len = ptk_kck_len;
b41f2684
CL		 3249 wpa_printf(MSG_DEBUG, "Updated PTK KCK");
3250 }
98cd3d1c
JM		 3251 if (ptk_kek && ptk_kek_len <= WPA_KEK_MAX_LEN) {
3252 os_memcpy(sm->ptk.kek, ptk_kek, ptk_kek_len);
3253 sm->ptk.kek_len = ptk_kek_len;
b41f2684
CL		 3254 wpa_printf(MSG_DEBUG, "Updated PTK KEK");
3255 }
3256 sm->ptk_set = 1;
3257}
651c6a84
JM		 3258
3259
3260#ifdef CONFIG_TESTING_OPTIONS
3261void wpa_sm_set_test_assoc_ie(struct wpa_sm *sm, struct wpabuf *buf)
3262{
3263 wpabuf_free(sm->test_assoc_ie);
3264 sm->test_assoc_ie = buf;
3265}
3266#endif /* CONFIG_TESTING_OPTIONS */
f00b9b88
JM		 3267
3268
3269#ifdef CONFIG_FILS
3270
af3e362f 3271struct wpabuf * fils_build_auth(struct wpa_sm *sm, int dh_group, const u8 *md)
f00b9b88
JM		 3272{
3273 struct wpabuf *buf = NULL;
3274 struct wpabuf *erp_msg;
76e20f4f 3275 struct wpabuf *pub = NULL;
f00b9b88
JM		 3276
3277 erp_msg = eapol_sm_build_erp_reauth_start(sm->eapol);
3278 if (!erp_msg && !sm->cur_pmksa) {
3279 wpa_printf(MSG_DEBUG,
3280 "FILS: Neither ERP EAP-Initiate/Re-auth nor PMKSA cache entry is available - skip FILS");
3281 goto fail;
3282 }
3283
3284 wpa_printf(MSG_DEBUG, "FILS: Try to use FILS (erp=%d pmksa_cache=%d)",
3285 erp_msg != NULL, sm->cur_pmksa != NULL);
3286
706df429
JM		 3287 sm->fils_completed = 0;
3288
f00b9b88
JM		 3289 if (!sm->assoc_wpa_ie) {
3290 wpa_printf(MSG_INFO, "FILS: No own RSN IE set for FILS");
3291 goto fail;
3292 }
3293
3294 if (random_get_bytes(sm->fils_nonce, FILS_NONCE_LEN) < 0 ||
3295 random_get_bytes(sm->fils_session, FILS_SESSION_LEN) < 0)
3296 goto fail;
3297
3298 wpa_hexdump(MSG_DEBUG, "FILS: Generated FILS Nonce",
3299 sm->fils_nonce, FILS_NONCE_LEN);
3300 wpa_hexdump(MSG_DEBUG, "FILS: Generated FILS Session",
3301 sm->fils_session, FILS_SESSION_LEN);
3302
76e20f4f
JM		 3303#ifdef CONFIG_FILS_SK_PFS
3304 sm->fils_dh_group = dh_group;
3305 if (dh_group) {
3306 crypto_ecdh_deinit(sm->fils_ecdh);
3307 sm->fils_ecdh = crypto_ecdh_init(dh_group);
3308 if (!sm->fils_ecdh) {
3309 wpa_printf(MSG_INFO,
3310 "FILS: Could not initialize ECDH with group %d",
3311 dh_group);
3312 goto fail;
3313 }
3314 pub = crypto_ecdh_get_pubkey(sm->fils_ecdh, 1);
3315 if (!pub)
3316 goto fail;
3317 wpa_hexdump_buf(MSG_DEBUG, "FILS: Element (DH public key)",
3318 pub);
3319 sm->fils_dh_elem_len = wpabuf_len(pub);
3320 }
3321#endif /* CONFIG_FILS_SK_PFS */
3322
3323 buf = wpabuf_alloc(1000 + sm->assoc_wpa_ie_len +
3324 (pub ? wpabuf_len(pub) : 0));
f00b9b88
JM		 3325 if (!buf)
3326 goto fail;
3327
3328 /* Fields following the Authentication algorithm number field */
3329
3330 /* Authentication Transaction seq# */
3331 wpabuf_put_le16(buf, 1);
3332
3333 /* Status Code */
3334 wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS);
3335
76e20f4f
JM		 3336 /* TODO: FILS PK */
3337#ifdef CONFIG_FILS_SK_PFS
3338 if (dh_group) {
3339 /* Finite Cyclic Group */
3340 wpabuf_put_le16(buf, dh_group);
3341 /* Element */
3342 wpabuf_put_buf(buf, pub);
3343 }
3344#endif /* CONFIG_FILS_SK_PFS */
f00b9b88
JM		 3345
3346 /* RSNE */
3347 wpa_hexdump(MSG_DEBUG, "FILS: RSNE in FILS Authentication frame",
3348 sm->assoc_wpa_ie, sm->assoc_wpa_ie_len);
3349 wpabuf_put_data(buf, sm->assoc_wpa_ie, sm->assoc_wpa_ie_len);
3350
af3e362f
JM		 3351 if (md) {
3352 /* MDE when using FILS for FT initial association */
3353 struct rsn_mdie *mdie;
3354
3355 wpabuf_put_u8(buf, WLAN_EID_MOBILITY_DOMAIN);
3356 wpabuf_put_u8(buf, sizeof(*mdie));
3357 mdie = wpabuf_put(buf, sizeof(*mdie));
3358 os_memcpy(mdie->mobility_domain, md, MOBILITY_DOMAIN_ID_LEN);
3359 mdie->ft_capab = 0;
3360 }
f00b9b88
JM		 3361
3362 /* FILS Nonce */
3363 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
3364 wpabuf_put_u8(buf, 1 + FILS_NONCE_LEN); /* Length */
3365 /* Element ID Extension */
3366 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_NONCE);
3367 wpabuf_put_data(buf, sm->fils_nonce, FILS_NONCE_LEN);
3368
3369 /* FILS Session */
3370 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
3371 wpabuf_put_u8(buf, 1 + FILS_SESSION_LEN); /* Length */
3372 /* Element ID Extension */
3373 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_SESSION);
3374 wpabuf_put_data(buf, sm->fils_session, FILS_SESSION_LEN);
3375
3376 /* FILS Wrapped Data */
fcd3d6ce 3377 sm->fils_erp_pmkid_set = 0;
f00b9b88
JM		 3378 if (erp_msg) {
3379 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
3380 wpabuf_put_u8(buf, 1 + wpabuf_len(erp_msg)); /* Length */
3381 /* Element ID Extension */
3382 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_WRAPPED_DATA);
3383 wpabuf_put_buf(buf, erp_msg);
fcd3d6ce
JM		 3384 /* Calculate pending PMKID here so that we do not need to
3385 * maintain a copy of the EAP-Initiate/Reauth message. */
3386 if (fils_pmkid_erp(sm->key_mgmt, wpabuf_head(erp_msg),
3387 wpabuf_len(erp_msg),
3388 sm->fils_erp_pmkid) == 0)
3389 sm->fils_erp_pmkid_set = 1;
f00b9b88
JM		 3390 }
3391
3392 wpa_hexdump_buf(MSG_DEBUG, "RSN: FILS fields for Authentication frame",
3393 buf);
3394
3395fail:
3396 wpabuf_free(erp_msg);
76e20f4f 3397 wpabuf_free(pub);
f00b9b88
JM		 3398 return buf;
3399}
3400
a6609937 3401
ba9774bd
JM		 3402int fils_process_auth(struct wpa_sm *sm, const u8 *bssid, const u8 *data,
3403 size_t len)
a6609937
JM		 3404{
3405 const u8 *pos, *end;
3406 struct ieee802_11_elems elems;
3407 struct wpa_ie_data rsn;
3408 int pmkid_match = 0;
3409 u8 ick[FILS_ICK_MAX_LEN];
3410 size_t ick_len;
3411 int res;
76e20f4f 3412 struct wpabuf *dh_ss = NULL;
a6609937 3413
ba9774bd
JM		 3414 os_memcpy(sm->bssid, bssid, ETH_ALEN);
3415
a6609937
JM		 3416 wpa_hexdump(MSG_DEBUG, "FILS: Authentication frame fields",
3417 data, len);
3418 pos = data;
3419 end = data + len;
3420
76e20f4f
JM		 3421 /* TODO: FILS PK */
3422#ifdef CONFIG_FILS_SK_PFS
3423 if (sm->fils_dh_group) {
3424 u16 group;
3425
3426 /* Using FILS PFS */
3427
3428 /* Finite Cyclic Group */
3429 if (end - pos < 2) {
3430 wpa_printf(MSG_DEBUG,
3431 "FILS: No room for Finite Cyclic Group");
3432 goto fail;
3433 }
3434 group = WPA_GET_LE16(pos);
3435 pos += 2;
3436 if (group != sm->fils_dh_group) {
3437 wpa_printf(MSG_DEBUG,
3438 "FILS: Unexpected change in Finite Cyclic Group: %u (expected %u)",
3439 group, sm->fils_dh_group);
3440 goto fail;
3441 }
3442
3443 /* Element */
3444 if ((size_t) (end - pos) < sm->fils_dh_elem_len) {
3445 wpa_printf(MSG_DEBUG, "FILS: No room for Element");
3446 goto fail;
3447 }
3448
3449 if (!sm->fils_ecdh) {
3450 wpa_printf(MSG_DEBUG, "FILS: No ECDH state available");
3451 goto fail;
3452 }
3453 dh_ss = crypto_ecdh_set_peerkey(sm->fils_ecdh, 1, pos,
3454 sm->fils_dh_elem_len);
3455 if (!dh_ss) {
3456 wpa_printf(MSG_DEBUG, "FILS: ECDH operation failed");
3457 goto fail;
3458 }
3459 wpa_hexdump_buf_key(MSG_DEBUG, "FILS: DH_SS", dh_ss);
3460 pos += sm->fils_dh_elem_len;
3461 }
3462#endif /* CONFIG_FILS_SK_PFS */
a6609937
JM		 3463
3464 wpa_hexdump(MSG_DEBUG, "FILS: Remaining IEs", pos, end - pos);
3465 if (ieee802_11_parse_elems(pos, end - pos, &elems, 1) == ParseFailed) {
3466 wpa_printf(MSG_DEBUG, "FILS: Could not parse elements");
76e20f4f 3467 goto fail;
a6609937
JM		 3468 }
3469
3470 /* RSNE */
3471 wpa_hexdump(MSG_DEBUG, "FILS: RSN element", elems.rsn_ie,
3472 elems.rsn_ie_len);
3473 if (!elems.rsn_ie ||
3474 wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
3475 &rsn) < 0) {
3476 wpa_printf(MSG_DEBUG, "FILS: No RSN element");
76e20f4f 3477 goto fail;
a6609937
JM		 3478 }
3479
3480 if (!elems.fils_nonce) {
3481 wpa_printf(MSG_DEBUG, "FILS: No FILS Nonce field");
76e20f4f 3482 goto fail;
a6609937
JM		 3483 }
3484 os_memcpy(sm->fils_anonce, elems.fils_nonce, FILS_NONCE_LEN);
3485 wpa_hexdump(MSG_DEBUG, "FILS: ANonce", sm->fils_anonce, FILS_NONCE_LEN);
3486
3487 /* TODO: MDE when using FILS+FT */
3488 /* TODO: FTE when using FILS+FT */
3489
3490 /* PMKID List */
3491 if (rsn.pmkid && rsn.num_pmkid > 0) {
3492 wpa_hexdump(MSG_DEBUG, "FILS: PMKID List",
3493 rsn.pmkid, rsn.num_pmkid * PMKID_LEN);
3494
3495 if (rsn.num_pmkid != 1) {
3496 wpa_printf(MSG_DEBUG, "FILS: Invalid PMKID selection");
76e20f4f 3497 goto fail;
a6609937
JM		 3498 }
3499 wpa_hexdump(MSG_DEBUG, "FILS: PMKID", rsn.pmkid, PMKID_LEN);
3500 if (os_memcmp(sm->cur_pmksa->pmkid, rsn.pmkid, PMKID_LEN) != 0)
3501 {
3502 wpa_printf(MSG_DEBUG, "FILS: PMKID mismatch");
3503 wpa_hexdump(MSG_DEBUG, "FILS: Expected PMKID",
3504 sm->cur_pmksa->pmkid, PMKID_LEN);
76e20f4f 3505 goto fail;
a6609937
JM		 3506 }
3507 wpa_printf(MSG_DEBUG,
3508 "FILS: Matching PMKID - continue using PMKSA caching");
3509 pmkid_match = 1;
3510 }
3511 if (!pmkid_match && sm->cur_pmksa) {
3512 wpa_printf(MSG_DEBUG,
3513 "FILS: No PMKID match - cannot use cached PMKSA entry");
3514 sm->cur_pmksa = NULL;
3515 }
3516
3517 /* FILS Session */
3518 if (!elems.fils_session) {
3519 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element");
76e20f4f 3520 goto fail;
a6609937
JM		 3521 }
3522 wpa_hexdump(MSG_DEBUG, "FILS: FILS Session", elems.fils_session,
3523 FILS_SESSION_LEN);
3524 if (os_memcmp(sm->fils_session, elems.fils_session, FILS_SESSION_LEN)
3525 != 0) {
3526 wpa_printf(MSG_DEBUG, "FILS: Session mismatch");
3527 wpa_hexdump(MSG_DEBUG, "FILS: Expected FILS Session",
3528 sm->fils_session, FILS_SESSION_LEN);
76e20f4f 3529 goto fail;
a6609937
JM		 3530 }
3531
3532 /* FILS Wrapped Data */
3533 if (!sm->cur_pmksa && elems.fils_wrapped_data) {
fcd3d6ce
JM		 3534 u8 rmsk[ERP_MAX_KEY_LEN];
3535 size_t rmsk_len;
3536
a6609937
JM		 3537 wpa_hexdump(MSG_DEBUG, "FILS: Wrapped Data",
3538 elems.fils_wrapped_data,
3539 elems.fils_wrapped_data_len);
3540 eapol_sm_process_erp_finish(sm->eapol, elems.fils_wrapped_data,
3541 elems.fils_wrapped_data_len);
3542 if (eapol_sm_failed(sm->eapol))
76e20f4f 3543 goto fail;
a6609937 3544
fcd3d6ce
JM		 3545 rmsk_len = ERP_MAX_KEY_LEN;
3546 res = eapol_sm_get_key(sm->eapol, rmsk, rmsk_len);
3547 if (res == PMK_LEN) {
3548 rmsk_len = PMK_LEN;
3549 res = eapol_sm_get_key(sm->eapol, rmsk, rmsk_len);
3550 }
a6609937 3551 if (res)
76e20f4f 3552 goto fail;
a6609937 3553
fcd3d6ce 3554 res = fils_rmsk_to_pmk(sm->key_mgmt, rmsk, rmsk_len,
76e20f4f
JM		 3555 sm->fils_nonce, sm->fils_anonce,
3556 dh_ss ? wpabuf_head(dh_ss) : NULL,
3557 dh_ss ? wpabuf_len(dh_ss) : 0,
fcd3d6ce
JM		 3558 sm->pmk, &sm->pmk_len);
3559 os_memset(rmsk, 0, sizeof(rmsk));
76e20f4f
JM		 3560 wpabuf_clear_free(dh_ss);
3561 dh_ss = NULL;
275cc942 3562 if (res)
76e20f4f 3563 goto fail;
fcd3d6ce
JM		 3564
3565 if (!sm->fils_erp_pmkid_set) {
3566 wpa_printf(MSG_DEBUG, "FILS: PMKID not available");
76e20f4f 3567 goto fail;
fcd3d6ce
JM		 3568 }
3569 wpa_hexdump(MSG_DEBUG, "FILS: PMKID", sm->fils_erp_pmkid,
3570 PMKID_LEN);
a6609937 3571 wpa_printf(MSG_DEBUG, "FILS: ERP processing succeeded - add PMKSA cache entry for the result");
fcd3d6ce
JM		 3572 sm->cur_pmksa = pmksa_cache_add(sm->pmksa, sm->pmk, sm->pmk_len,
3573 sm->fils_erp_pmkid, NULL, 0,
3574 sm->bssid, sm->own_addr,
869af307
JM		 3575 sm->network_ctx, sm->key_mgmt,
3576 NULL);
a6609937
JM		 3577 }
3578
3579 if (!sm->cur_pmksa) {
3580 wpa_printf(MSG_DEBUG,
3581 "FILS: No remaining options to continue FILS authentication");
76e20f4f 3582 goto fail;
a6609937
JM		 3583 }
3584
3585 if (fils_pmk_to_ptk(sm->pmk, sm->pmk_len, sm->own_addr, sm->bssid,
3586 sm->fils_nonce, sm->fils_anonce, &sm->ptk,
3587 ick, &ick_len, sm->key_mgmt, sm->pairwise_cipher) <
3588 0) {
3589 wpa_printf(MSG_DEBUG, "FILS: Failed to derive PTK");
76e20f4f 3590 goto fail;
a6609937
JM		 3591 }
3592 sm->ptk_set = 1;
3593 sm->tptk_set = 0;
3594 os_memset(&sm->tptk, 0, sizeof(sm->tptk));
3595
3596 res = fils_key_auth_sk(ick, ick_len, sm->fils_nonce,
3597 sm->fils_anonce, sm->own_addr, sm->bssid,
76e20f4f 3598 NULL, 0, NULL, 0, /* TODO: PK */
a6609937
JM		 3599 sm->key_mgmt, sm->fils_key_auth_sta,
3600 sm->fils_key_auth_ap,
3601 &sm->fils_key_auth_len);
3602 os_memset(ick, 0, sizeof(ick));
3603 return res;
76e20f4f
JM		 3604fail:
3605 wpabuf_clear_free(dh_ss);
3606 return -1;
a6609937
JM		 3607}
3608
86cd6928
JM		 3609
3610struct wpabuf * fils_build_assoc_req(struct wpa_sm *sm, const u8 **kek,
3611 size_t *kek_len, const u8 **snonce,
5732b770
JM		 3612 const u8 **anonce,
3613 const struct wpabuf **hlp,
3614 unsigned int num_hlp)
86cd6928
JM		 3615{
3616 struct wpabuf *buf;
5732b770
JM		 3617 size_t len;
3618 unsigned int i;
86cd6928 3619
5732b770
JM		 3620 len = 1000;
3621 for (i = 0; hlp && i < num_hlp; i++)
3622 len += 10 + wpabuf_len(hlp[i]);
3623 buf = wpabuf_alloc(len);
86cd6928
JM		 3624 if (!buf)
3625 return NULL;
3626
3627 /* FILS Session */
3628 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
3629 wpabuf_put_u8(buf, 1 + FILS_SESSION_LEN); /* Length */
3630 /* Element ID Extension */
3631 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_SESSION);
3632 wpabuf_put_data(buf, sm->fils_session, FILS_SESSION_LEN);
3633
3634 /* Everything after FILS Session element gets encrypted in the driver
3635 * with KEK. The buffer returned from here is the plaintext version. */
3636
3637 /* TODO: FILS Public Key */
3638
3639 /* FILS Key Confirm */
3640 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
3641 wpabuf_put_u8(buf, 1 + sm->fils_key_auth_len); /* Length */
3642 /* Element ID Extension */
3643 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_KEY_CONFIRM);
3644 wpabuf_put_data(buf, sm->fils_key_auth_sta, sm->fils_key_auth_len);
3645
5732b770
JM		 3646 /* FILS HLP Container */
3647 for (i = 0; hlp && i < num_hlp; i++) {
3648 const u8 *pos = wpabuf_head(hlp[i]);
3649 size_t left = wpabuf_len(hlp[i]);
3650
3651 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
3652 if (left <= 254)
3653 len = 1 + left;
3654 else
3655 len = 255;
3656 wpabuf_put_u8(buf, len); /* Length */
3657 /* Element ID Extension */
3658 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_HLP_CONTAINER);
3659 /* Destination MAC Address, Source MAC Address, HLP Packet.
3660 * HLP Packet is in MSDU format (i.e., included the LLC/SNAP
3661 * header when LPD is used). */
3662 wpabuf_put_data(buf, pos, len - 1);
3663 pos += len - 1;
3664 left -= len - 1;
3665 while (left) {
3666 wpabuf_put_u8(buf, WLAN_EID_FRAGMENT);
3667 len = left > 255 ? 255 : left;
3668 wpabuf_put_u8(buf, len);
3669 wpabuf_put_data(buf, pos, len);
3670 pos += len;
3671 left -= len;
3672 }
3673 }
86cd6928
JM		 3674
3675 /* TODO: FILS IP Address Assignment */
3676
3677 wpa_hexdump_buf(MSG_DEBUG, "FILS: Association Request plaintext", buf);
3678
3679 *kek = sm->ptk.kek;
3680 *kek_len = sm->ptk.kek_len;
3681 wpa_hexdump_key(MSG_DEBUG, "FILS: KEK for AEAD", *kek, *kek_len);
3682 *snonce = sm->fils_nonce;
3683 wpa_hexdump(MSG_DEBUG, "FILS: SNonce for AEAD AAD",
3684 *snonce, FILS_NONCE_LEN);
3685 *anonce = sm->fils_anonce;
3686 wpa_hexdump(MSG_DEBUG, "FILS: ANonce for AEAD AAD",
3687 *anonce, FILS_NONCE_LEN);
3688
3689 return buf;
3690}
3691
706df429 3692
124ddfa1
JM		 3693static void fils_process_hlp_resp(struct wpa_sm *sm, const u8 *resp, size_t len)
3694{
3695 const u8 *pos, *end;
3696
3697 wpa_hexdump(MSG_MSGDUMP, "FILS: HLP response", resp, len);
3698 if (len < 2 * ETH_ALEN)
3699 return;
3700 pos = resp + 2 * ETH_ALEN;
3701 end = resp + len;
3702 if (end - pos >= 6 &&
3703 os_memcmp(pos, "\xaa\xaa\x03\x00\x00\x00", 6) == 0)
3704 pos += 6; /* Remove SNAP/LLC header */
3705 wpa_sm_fils_hlp_rx(sm, resp, resp + ETH_ALEN, pos, end - pos);
3706}
3707
3708
3709static void fils_process_hlp_container(struct wpa_sm *sm, const u8 *pos,
3710 size_t len)
3711{
3712 const u8 *end = pos + len;
3713 u8 *tmp, *tmp_pos;
3714
3715 /* Check if there are any FILS HLP Container elements */
3716 while (end - pos >= 2) {
3717 if (2 + pos[1] > end - pos)
3718 return;
3719 if (pos[0] == WLAN_EID_EXTENSION &&
3720 pos[1] >= 1 + 2 * ETH_ALEN &&
3721 pos[2] == WLAN_EID_EXT_FILS_HLP_CONTAINER)
3722 break;
3723 pos += 2 + pos[1];
3724 }
3725 if (end - pos < 2)
3726 return; /* No FILS HLP Container elements */
3727
3728 tmp = os_malloc(end - pos);
3729 if (!tmp)
3730 return;
3731
3732 while (end - pos >= 2) {
3733 if (2 + pos[1] > end - pos ||
3734 pos[0] != WLAN_EID_EXTENSION ||
3735 pos[1] < 1 + 2 * ETH_ALEN ||
3736 pos[2] != WLAN_EID_EXT_FILS_HLP_CONTAINER)
3737 break;
3738 tmp_pos = tmp;
3739 os_memcpy(tmp_pos, pos + 3, pos[1] - 1);
3740 tmp_pos += pos[1] - 1;
3741 pos += 2 + pos[1];
3742
3743 /* Add possible fragments */
3744 while (end - pos >= 2 && pos[0] == WLAN_EID_FRAGMENT &&
3745 2 + pos[1] <= end - pos) {
3746 os_memcpy(tmp_pos, pos + 2, pos[1]);
3747 tmp_pos += pos[1];
3748 pos += 2 + pos[1];
3749 }
3750
3751 fils_process_hlp_resp(sm, tmp, tmp_pos - tmp);
3752 }
3753
3754 os_free(tmp);
3755}
3756
3757
706df429
JM		 3758int fils_process_assoc_resp(struct wpa_sm *sm, const u8 *resp, size_t len)
3759{
3760 const struct ieee80211_mgmt *mgmt;
3761 const u8 *end, *ie_start;
3762 struct ieee802_11_elems elems;
3763 int keylen, rsclen;
3764 enum wpa_alg alg;
3765 struct wpa_gtk_data gd;
3766 int maxkeylen;
3767 struct wpa_eapol_ie_parse kde;
3768
3769 if (!sm || !sm->ptk_set) {
3770 wpa_printf(MSG_DEBUG, "FILS: No KEK available");
3771 return -1;
3772 }
3773
3774 if (!wpa_key_mgmt_fils(sm->key_mgmt)) {
3775 wpa_printf(MSG_DEBUG, "FILS: Not a FILS AKM");
3776 return -1;
3777 }
3778
3779 wpa_hexdump(MSG_DEBUG, "FILS: (Re)Association Response frame",
3780 resp, len);
3781
3782 mgmt = (const struct ieee80211_mgmt *) resp;
3783 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.assoc_resp))
3784 return -1;
3785
3786 end = resp + len;
3787 /* Same offset for Association Response and Reassociation Response */
3788 ie_start = mgmt->u.assoc_resp.variable;
3789
3790 if (ieee802_11_parse_elems(ie_start, end - ie_start, &elems, 1) ==
3791 ParseFailed) {
3792 wpa_printf(MSG_DEBUG,
3793 "FILS: Failed to parse decrypted elements");
3794 goto fail;
3795 }
3796
3797 if (!elems.fils_session) {
3798 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element");
3799 return -1;
3800 }
3801 if (os_memcmp(elems.fils_session, sm->fils_session,
3802 FILS_SESSION_LEN) != 0) {
3803 wpa_printf(MSG_DEBUG, "FILS: FILS Session mismatch");
3804 wpa_hexdump(MSG_DEBUG, "FILS: Received FILS Session",
3805 elems.fils_session, FILS_SESSION_LEN);
3806 wpa_hexdump(MSG_DEBUG, "FILS: Expected FILS Session",
3807 sm->fils_session, FILS_SESSION_LEN);
3808 }
3809
3810 /* TODO: FILS Public Key */
3811
3812 if (!elems.fils_key_confirm) {
3813 wpa_printf(MSG_DEBUG, "FILS: No FILS Key Confirm element");
3814 goto fail;
3815 }
3816 if (elems.fils_key_confirm_len != sm->fils_key_auth_len) {
3817 wpa_printf(MSG_DEBUG,
3818 "FILS: Unexpected Key-Auth length %d (expected %d)",
3819 elems.fils_key_confirm_len,
3820 (int) sm->fils_key_auth_len);
3821 goto fail;
3822 }
3823 if (os_memcmp(elems.fils_key_confirm, sm->fils_key_auth_ap,
3824 sm->fils_key_auth_len) != 0) {
3825 wpa_printf(MSG_DEBUG, "FILS: Key-Auth mismatch");
3826 wpa_hexdump(MSG_DEBUG, "FILS: Received Key-Auth",
3827 elems.fils_key_confirm,
3828 elems.fils_key_confirm_len);
3829 wpa_hexdump(MSG_DEBUG, "FILS: Expected Key-Auth",
3830 sm->fils_key_auth_ap, sm->fils_key_auth_len);
3831 goto fail;
3832 }
3833
3834 /* Key Delivery */
3835 if (!elems.key_delivery) {
3836 wpa_printf(MSG_DEBUG, "FILS: No Key Delivery element");
3837 goto fail;
3838 }
3839
3840 /* Parse GTK and set the key to the driver */
3841 os_memset(&gd, 0, sizeof(gd));
3842 if (wpa_supplicant_parse_ies(elems.key_delivery + WPA_KEY_RSC_LEN,
3843 elems.key_delivery_len - WPA_KEY_RSC_LEN,
3844 &kde) < 0) {
3845 wpa_printf(MSG_DEBUG, "FILS: Failed to parse KDEs");
3846 goto fail;
3847 }
3848 if (!kde.gtk) {
3849 wpa_printf(MSG_DEBUG, "FILS: No GTK KDE");
3850 goto fail;
3851 }
3852 maxkeylen = gd.gtk_len = kde.gtk_len - 2;
3853 if (wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
3854 gd.gtk_len, maxkeylen,
3855 &gd.key_rsc_len, &gd.alg))
3856 goto fail;
3857
3858 wpa_hexdump_key(MSG_DEBUG, "FILS: Received GTK", kde.gtk, kde.gtk_len);
3859 gd.keyidx = kde.gtk[0] & 0x3;
3860 gd.tx = wpa_supplicant_gtk_tx_bit_workaround(sm,
3861 !!(kde.gtk[0] & BIT(2)));
3862 if (kde.gtk_len - 2 > sizeof(gd.gtk)) {
3863 wpa_printf(MSG_DEBUG, "FILS: Too long GTK in GTK KDE (len=%lu)",
3864 (unsigned long) kde.gtk_len - 2);
3865 goto fail;
3866 }
3867 os_memcpy(gd.gtk, kde.gtk + 2, kde.gtk_len - 2);
3868
3869 wpa_printf(MSG_DEBUG, "FILS: Set GTK to driver");
3870 if (wpa_supplicant_install_gtk(sm, &gd, elems.key_delivery) < 0) {
3871 wpa_printf(MSG_DEBUG, "FILS: Failed to set GTK");
3872 goto fail;
3873 }
3874
3875 if (ieee80211w_set_keys(sm, &kde) < 0) {
3876 wpa_printf(MSG_DEBUG, "FILS: Failed to set IGTK");
3877 goto fail;
3878 }
3879
3880 alg = wpa_cipher_to_alg(sm->pairwise_cipher);
3881 keylen = wpa_cipher_key_len(sm->pairwise_cipher);
3882 rsclen = wpa_cipher_rsc_len(sm->pairwise_cipher);
3883 wpa_hexdump_key(MSG_DEBUG, "FILS: Set TK to driver",
3884 sm->ptk.tk, keylen);
3885 if (wpa_sm_set_key(sm, alg, sm->bssid, 0, 1, null_rsc, rsclen,
3886 sm->ptk.tk, keylen) < 0) {
3887 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3888 "FILS: Failed to set PTK to the driver (alg=%d keylen=%d bssid="
3889 MACSTR ")",
3890 alg, keylen, MAC2STR(sm->bssid));
3891 goto fail;
3892 }
3893
3894 /* TODO: TK could be cleared after auth frame exchange now that driver
3895 * takes care of association frame encryption/decryption. */
3896 /* TK is not needed anymore in supplicant */
3897 os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN);
3898
124ddfa1
JM		 3899 /* FILS HLP Container */
3900 fils_process_hlp_container(sm, ie_start, end - ie_start);
706df429
JM		 3901
3902 /* TODO: FILS IP Address Assignment */
3903
3904 wpa_printf(MSG_DEBUG, "FILS: Auth+Assoc completed successfully");
3905 sm->fils_completed = 1;
3906
3907 return 0;
3908fail:
3909 return -1;
3910}
3911
3912#endif /* CONFIG_FILS */
3913
3914
3915int wpa_fils_is_completed(struct wpa_sm *sm)
3916{
3917#ifdef CONFIG_FILS
3918 return sm && sm->fils_completed;
3919#else /* CONFIG_FILS */
3920 return 0;
f00b9b88 3921#endif /* CONFIG_FILS */
706df429 3922}
0a614799
JM		 3923
3924
3925#ifdef CONFIG_OWE
3926
3927struct wpabuf * owe_build_assoc_req(struct wpa_sm *sm)
3928{
3929 struct wpabuf *ie = NULL, *pub = NULL;
3930
3931 crypto_ecdh_deinit(sm->owe_ecdh);
3932 sm->owe_ecdh = crypto_ecdh_init(OWE_DH_GROUP);
3933 if (!sm->owe_ecdh)
3934 goto fail;
3935 pub = crypto_ecdh_get_pubkey(sm->owe_ecdh, 0);
3936 if (!pub)
3937 goto fail;
3938
3939 ie = wpabuf_alloc(5 + wpabuf_len(pub));
3940 if (!ie)
3941 goto fail;
3942 wpabuf_put_u8(ie, WLAN_EID_EXTENSION);
3943 wpabuf_put_u8(ie, 1 + 2 + wpabuf_len(pub));
3944 wpabuf_put_u8(ie, WLAN_EID_EXT_OWE_DH_PARAM);
3945 wpabuf_put_le16(ie, OWE_DH_GROUP);
3946 wpabuf_put_buf(ie, pub);
3947 wpabuf_free(pub);
3948 wpa_hexdump_buf(MSG_DEBUG, "OWE: Diffie-Hellman Parameter element",
3949 ie);
3950
3951 return ie;
3952fail:
3953 wpabuf_free(pub);
3954 crypto_ecdh_deinit(sm->owe_ecdh);
3955 sm->owe_ecdh = NULL;
3956 return NULL;
3957}
3958
3959
3960int owe_process_assoc_resp(struct wpa_sm *sm, const u8 *resp_ies,
3961 size_t resp_ies_len)
3962{
3963 struct ieee802_11_elems elems;
3964 u16 group;
3965 struct wpabuf *secret, *pub, *hkey;
3966 int res;
3967 u8 prk[SHA256_MAC_LEN], pmkid[SHA256_MAC_LEN];
3968 const char *info = "OWE Key Generation";
3969 const u8 *addr[2];
3970 size_t len[2];
3971
3972 if (!resp_ies ||
3973 ieee802_11_parse_elems(resp_ies, resp_ies_len, &elems, 1) ==
3974 ParseFailed ||
3975 !elems.owe_dh) {
3976 wpa_printf(MSG_INFO,
3977 "OWE: No Diffie-Hellman Parameter element found in Association Response frame");
3978 return -1;
3979 }
3980
3981 group = WPA_GET_LE16(elems.owe_dh);
3982 if (group != OWE_DH_GROUP) {
3983 wpa_printf(MSG_INFO,
3984 "OWE: Unexpected Diffie-Hellman group in response: %u",
3985 group);
3986 return -1;
3987 }
3988
3989 if (!sm->owe_ecdh) {
3990 wpa_printf(MSG_INFO, "OWE: No ECDH state available");
3991 return -1;
3992 }
3993
3994 secret = crypto_ecdh_set_peerkey(sm->owe_ecdh, 0,
3995 elems.owe_dh + 2,
3996 elems.owe_dh_len - 2);
3997 if (!secret) {
3998 wpa_printf(MSG_DEBUG, "OWE: Invalid peer DH public key");
3999 return -1;
4000 }
4001 wpa_hexdump_buf_key(MSG_DEBUG, "OWE: DH shared secret", secret);
4002
4003 /* prk = HKDF-extract(C | A | group, z) */
4004
4005 pub = crypto_ecdh_get_pubkey(sm->owe_ecdh, 0);
4006 if (!pub) {
4007 wpabuf_clear_free(secret);
4008 return -1;
4009 }
4010
4011 /* PMKID = Truncate-128(Hash(C | A)) */
4012 addr[0] = wpabuf_head(pub);
4013 len[0] = wpabuf_len(pub);
4014 addr[1] = elems.owe_dh + 2;
4015 len[1] = elems.owe_dh_len - 2;
4016 res = sha256_vector(2, addr, len, pmkid);
4017 if (res < 0) {
4018 wpabuf_free(pub);
4019 wpabuf_clear_free(secret);
4020 return -1;
4021 }
4022
4023 hkey = wpabuf_alloc(wpabuf_len(pub) + elems.owe_dh_len - 2 + 2);
4024 if (!hkey) {
4025 wpabuf_free(pub);
4026 wpabuf_clear_free(secret);
4027 return -1;
4028 }
4029
4030 wpabuf_put_buf(hkey, pub); /* C */
4031 wpabuf_free(pub);
4032 wpabuf_put_data(hkey, elems.owe_dh + 2, elems.owe_dh_len - 2); /* A */
4033 wpabuf_put_le16(hkey, OWE_DH_GROUP); /* group */
4034 res = hmac_sha256(wpabuf_head(hkey), wpabuf_len(hkey),
4035 wpabuf_head(secret), wpabuf_len(secret), prk);
4036 wpabuf_clear_free(hkey);
4037 wpabuf_clear_free(secret);
4038 if (res < 0)
4039 return -1;
4040
4041 wpa_hexdump_key(MSG_DEBUG, "OWE: prk", prk, SHA256_MAC_LEN);
4042
4043 /* PMK = HKDF-expand(prk, "OWE Key Generation", n) */
4044
4045 res = hmac_sha256_kdf(prk, SHA256_MAC_LEN, NULL, (const u8 *) info,
4046 os_strlen(info), sm->pmk, PMK_LEN);
4047 os_memset(prk, 0, SHA256_MAC_LEN);
4048 if (res < 0)
4049 return -1;
4050
4051 wpa_hexdump_key(MSG_DEBUG, "OWE: PMK", sm->pmk, PMK_LEN);
4052 wpa_hexdump(MSG_DEBUG, "OWE: PMKID", pmkid, PMKID_LEN);
4053 /* TODO: Add PMKSA cache entry */
4054
4055 return 0;
4056}
4057
4058#endif /* CONFIG_OWE */
Unnamed repository; edit this file 'description' to name the repository.